ports/66150: [PATCH] SECURITY UPDATE ports/www/phpbb for IP spoofing vulnerablity
Xin LI
delphij at frontfree.net
Sat May 1 17:20:18 UTC 2004
>Number: 66150
>Category: ports
>Synopsis: [PATCH] SECURITY UPDATE ports/www/phpbb for IP spoofing vulnerablity
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sat May 01 10:20:17 PDT 2004
>Closed-Date:
>Last-Modified:
>Originator: Xin LI
>Release: FreeBSD 5.2-CURRENT i386
>Organization:
The FreeBSD Simplified Chinese Project
>Environment:
System: FreeBSD beastie.frontfree.net 5.2-CURRENT FreeBSD 5.2-CURRENT #33: Mon Apr 26 15:10:21 CST 2004 delphij at beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386
>Description:
There is an IP spoofing vulnerablity exists in phpBB (up to and
including the latest 2.0.8a) as described here:
http://www.vuxml.org/freebsd/cfe17ca6-6858-4805-ba1d-a60a61ec9b4d.html
The attached patch pulled fixes obtained from phpBB's CVS repository.
This is a good candidate for upcoming 4.10-RELEASE's ports collection.
If it is considered to be appropriate, please slip the tag as well.
>How-To-Repeat:
>Fix:
Apply the attached patch against the ports tree:
--- patch-phpbb begins here ---
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/www/phpbb/Makefile,v
retrieving revision 1.22
diff -u -r1.22 Makefile
--- Makefile 30 Mar 2004 21:33:25 -0000 1.22
+++ Makefile 1 May 2004 16:50:03 -0000
@@ -7,7 +7,7 @@
PORTNAME= phpbb
PORTVERSION= 2.0.8
-PORTREVISION= 2
+PORTREVISION= 3
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
Index: files/patch-common.php
===================================================================
RCS file: files/patch-common.php
diff -N files/patch-common.php
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ files/patch-common.php 1 May 2004 16:51:23 -0000
@@ -0,0 +1,104 @@
+--- common.php:1.74.2.10 Wed Jun 4 10:41:39 2003
++++ common.php Wed Apr 21 05:18:02 2004
+@@ -6,8 +6,7 @@
+ * copyright : (C) 2001 The phpBB Group
+ * email : support at phpbb.com
+ *
+- * $Id: common.php,v 1.74.2.10 2003/06/04 17:41:39 acydburn Exp $
+- *
++ * $Id: common.php,v 1.74.2.11 2004/04/21 12:18:02 psotfx Exp $
+ *
+ ***************************************************************************/
+
+@@ -25,9 +24,44 @@
+ die("Hacking attempt");
+ }
+
++//
++function unset_vars(&$var)
++{
++ while (list($var_name, $null) = @each($var))
++ {
++ unset($GLOBALS[$var_name]);
++ }
++ return;
++}
++
++//
+ error_reporting (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables
+ set_magic_quotes_runtime(0); // Disable magic_quotes_runtime
+
++$ini_val = (@phpversion() >= '4.0.0') ? 'ini_get' : 'get_cfg_var';
++
++// Unset globally registered vars - PHP5 ... hhmmm
++if (@$ini_val('register_globals') == '1' || strtolower(@$ini_val('register_globals')) == 'on')
++{
++ $var_prefix = (phpversion() >= '4.3.0') ? '' : 'HTTP';
++ $var_suffix = (phpversion() >= '4.3.0') ? '' : '_VARS';
++
++ if(is_array(${$var_prefix . '_GET' . $var_suffix}))
++ {
++ unset_vars(${$var_prefix . '_GET' . $var_suffix});
++ }
++
++ if(is_array(${$var_prefix . '_POST' . $var_suffix}))
++ {
++ unset_vars(${$var_prefix . '_POST' . $var_suffix});
++ }
++
++ if(is_array(${$var_prefix . '_COOKIE' . $var_suffix}))
++ {
++ unset_vars(${$var_prefix . '_COOKIE' . $var_suffix});
++ }
++}
++
+ //
+ // addslashes to vars if magic_quotes_gpc is off
+ // this is a security precaution to prevent someone
+@@ -106,6 +140,7 @@
+ $theme = array();
+ $images = array();
+ $lang = array();
++$nav_links = array();
+ $gen_simple_header = FALSE;
+
+ include($phpbb_root_path . 'config.'.$phpEx);
+@@ -126,32 +161,12 @@
+ //
+ // Obtain and encode users IP
+ //
+-if( getenv('HTTP_X_FORWARDED_FOR') != '' )
+-{
+- $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
+-
+- $entries = explode(',', getenv('HTTP_X_FORWARDED_FOR'));
+- reset($entries);
+- while (list(, $entry) = each($entries))
+- {
+- $entry = trim($entry);
+- if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, $ip_list) )
+- {
+- $private_ip = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/', '/^10\..*/', '/^224\..*/', '/^240\..*/');
+- $found_ip = preg_replace($private_ip, $client_ip, $ip_list[1]);
+-
+- if ($client_ip != $found_ip)
+- {
+- $client_ip = $found_ip;
+- break;
+- }
+- }
+- }
+-}
+-else
+-{
+- $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
+-}
++// I'm removing HTTP_X_FORWARDED_FOR ... this may well cause other problems such as
++// private range IP's appearing instead of the guilty routable IP, tough, don't
++// even bother complaining ... go scream and shout at the idiots out there who feel
++// "clever" is doing harm rather than good ... karma is a great thing ... :)
++//
++$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
+ $user_ip = encode_ip($client_ip);
+
+ //
--- patch-phpbb ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list