On Mon, 2006-05-15 at 08:31 +0200, Jeroen van Wolffelaar wrote:
> On Wed, May 03, 2006 at 10:56:33AM +0200, Thijs Kinkhorst wrote:
> > Thanks for the report. While I think that people who are admin can
> > already do a lot of damage and should hence be considered trusted,
> > executing php code is a step further in permissions and thus this can be
> > considered a security issue. I will look into a fix soon.
>
> Patch (untested):
>
> --- phpBB2/viewtopic.php 2005-10-31 08:32:37.000000000 +0100
> +++ phpBB2/viewtopic.php 2006-05-15 08:25:12.000000000 +0200
> @@ -1105,6 +1105,12 @@
> {
> // This was shamelessly 'borrowed' from volker at
> multiartstudio dot de
> // via php.net's annotated manual
> +
> + // First, defuse fontcolor3, as it'd otherwise be arbitrary
> code execution
> + if (!eregi("^[0-9a-f]+$", $theme['fontcolor3'])) {
> + $theme['fontcolor3'] = 'FFA34F';
> + }
> +
> $message = str_replace('\"', '"',
> substr(@preg_replace('#(\>(((?>([^><]+|(?R)))*)\<))#se',
> "@preg_replace('#\b(" . str_replace('\\', '\\\\',
> addslashes($highlight_match)) . ")\b#i', '<span style=\"color:#" .
> $theme['fontcolor3'] . "\"><b>\\\\1</b></span>', '\\0')", '>' . $message .
> '<'), 1, -1));
> }
>
I've tested this patch on both testing and production boards, and it
works, so it's now committed to the sarge branch. If the security team
agrees that this warrants an advisory, we're all set for that, the only
thing is that Jeroen needs to build some packages out of the current
branch but I think he's quite capable of that :)
Security team: please review the problem at hand and proposed patch. If
ok, then Jeroen will supply you with updated packages a.s.a.p.
W.r.t. unstable, I will look into that very soon, we'll need to be
upgrading to a new upstream aswell. I'll check whether that can be done
in the short term, if not, I'll prepare a patched package.
Thijs
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
