ports/66150: [PATCH] SECURITY UPDATE ports/www/phpbb for IP spoofing vulnerablity

Xin LI delphij at frontfree.net
Sat May 1 17:20:18 UTC 2004 

>Number:         66150
>Category:       ports
>Synopsis:       [PATCH] SECURITY UPDATE ports/www/phpbb for IP spoofing vulnerablity
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 01 10:20:17 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator:     Xin LI
>Release:        FreeBSD 5.2-CURRENT i386
>Organization:
The FreeBSD Simplified Chinese Project
>Environment:
System: FreeBSD beastie.frontfree.net 5.2-CURRENT FreeBSD 5.2-CURRENT #33: Mon Apr 26 15:10:21 CST 2004 delphij at beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386


>Description:
	There is an IP spoofing vulnerablity exists in phpBB (up to and
including the latest 2.0.8a) as described here:

	http://www.vuxml.org/freebsd/cfe17ca6-6858-4805-ba1d-a60a61ec9b4d.html

	The attached patch pulled fixes obtained from phpBB's CVS repository.

	This is a good candidate for upcoming 4.10-RELEASE's ports collection.
If it is considered to be appropriate, please slip the tag as well.
>How-To-Repeat:
>Fix:
	Apply the attached patch against the ports tree:

--- patch-phpbb begins here ---
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/www/phpbb/Makefile,v
retrieving revision 1.22
diff -u -r1.22 Makefile
--- Makefile	30 Mar 2004 21:33:25 -0000	1.22
+++ Makefile	1 May 2004 16:50:03 -0000
@@ -7,7 +7,7 @@
 
 PORTNAME=	phpbb
 PORTVERSION=	2.0.8
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
Index: files/patch-common.php
===================================================================
RCS file: files/patch-common.php
diff -N files/patch-common.php
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ files/patch-common.php	1 May 2004 16:51:23 -0000
@@ -0,0 +1,104 @@
+--- common.php:1.74.2.10	Wed Jun  4 10:41:39 2003
++++ common.php	Wed Apr 21 05:18:02 2004
+@@ -6,8 +6,7 @@
+  *   copyright            : (C) 2001 The phpBB Group
+  *   email                : support at phpbb.com
+  *
+- *   $Id: common.php,v 1.74.2.10 2003/06/04 17:41:39 acydburn Exp $
+- *
++ *   $Id: common.php,v 1.74.2.11 2004/04/21 12:18:02 psotfx Exp $
+  *
+  ***************************************************************************/
+ 
+@@ -25,9 +24,44 @@
+ 	die("Hacking attempt");
+ }
+ 
++//
++function unset_vars(&$var)
++{
++	while (list($var_name, $null) = @each($var))
++	{
++		unset($GLOBALS[$var_name]);
++	}
++	return;
++}
++
++//
+ error_reporting  (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables
+ set_magic_quotes_runtime(0); // Disable magic_quotes_runtime
+ 
++$ini_val = (@phpversion() >= '4.0.0') ? 'ini_get' : 'get_cfg_var';
++
++// Unset globally registered vars - PHP5 ... hhmmm
++if (@$ini_val('register_globals') == '1' || strtolower(@$ini_val('register_globals')) == 'on')
++{
++	$var_prefix = (phpversion() >= '4.3.0') ? '' : 'HTTP';
++	$var_suffix = (phpversion() >= '4.3.0') ? '' : '_VARS';
++
++	if(is_array(${$var_prefix . '_GET' . $var_suffix}))
++	{
++		unset_vars(${$var_prefix . '_GET' . $var_suffix});
++	}
++
++	if(is_array(${$var_prefix . '_POST' . $var_suffix}))
++	{
++		unset_vars(${$var_prefix . '_POST' . $var_suffix});
++	}
++
++	if(is_array(${$var_prefix . '_COOKIE' . $var_suffix}))
++	{
++		unset_vars(${$var_prefix . '_COOKIE' . $var_suffix});
++	}
++}
++
+ //
+ // addslashes to vars if magic_quotes_gpc is off
+ // this is a security precaution to prevent someone
+@@ -106,6 +140,7 @@
+ $theme = array();
+ $images = array();
+ $lang = array();
++$nav_links = array();
+ $gen_simple_header = FALSE;
+ 
+ include($phpbb_root_path . 'config.'.$phpEx);
+@@ -126,32 +161,12 @@
+ //
+ // Obtain and encode users IP
+ //
+-if( getenv('HTTP_X_FORWARDED_FOR') != '' )
+-{
+-	$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
+-
+-	$entries = explode(',', getenv('HTTP_X_FORWARDED_FOR'));
+-	reset($entries);
+-	while (list(, $entry) = each($entries)) 
+-	{
+-		$entry = trim($entry);
+-		if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, $ip_list) )
+-		{
+-			$private_ip = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/', '/^10\..*/', '/^224\..*/', '/^240\..*/');
+-			$found_ip = preg_replace($private_ip, $client_ip, $ip_list[1]);
+-
+-			if ($client_ip != $found_ip)
+-			{
+-				$client_ip = $found_ip;
+-				break;
+-			}
+-		}
+-	}
+-}
+-else
+-{
+-	$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
+-}
++// I'm removing HTTP_X_FORWARDED_FOR ... this may well cause other problems such as
++// private range IP's appearing instead of the guilty routable IP, tough, don't
++// even bother complaining ... go scream and shout at the idiots out there who feel
++// "clever" is doing harm rather than good ... karma is a great thing ... :)
++//
++$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
+ $user_ip = encode_ip($client_ip);
+ 
+ //
--- patch-phpbb ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list