ITPub博客

首页 > 应用开发 > IT综合 > 修正phpBB 2.0.x两个安全漏洞 (转)

修正phpBB 2.0.x两个安全漏洞 (转)

原创 IT综合 作者:amyz 时间:2007-11-09 16:50:14 0 删除 编辑
修正phpBB 2.0.x两个安全漏洞 (转)[@more@]PHPBB开发组最近公布了phpBB 2.0.x两个安全漏洞的修正办法:

1. sql注射漏洞:
修改viewtopic.php。在
代码: if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
{
      $topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
}
else if ( isset($HTTP_GET_VARS['topic']) )
{
      $topic_id = intval($HTTP_GET_VARS['topic']);
}
之前加入:
代码: $topic_id = $post_id = false;

将以下代码:

代码: $join_sql_table = ( !isset($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( !isset($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( !isset($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";

$order_sql = ( !isset($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";
替换为:

代码: $join_sql_table = ( empty($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( empty($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( empty($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";

$order_sql = ( empty($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";

2. styles_admin 越界访问漏洞:
修改admin/admin_styles.php。
将以下代码:

代码: //
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb_root_path = "./../";

$confiRM = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;

if (empty($HTTP_POST_VARS['send_file']))
{
   $no_page_header = ( $cancel ) ? TRUE : FALSE;
   require($phpbb_root_path . 'extension.inc');
   require('./pagestart.' . $phpEx);
}

if ($cancel)
{
   redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}
替换为:
代码: //
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb_root_path = "./../";
require($phpbb_root_path . 'extension.inc');

$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;

$no_page_header = (!empty($HTTP_POST_VARS['send_file']) || $cancel) ? TRUE : FALSE;

require('./pagestart.' . $phpEx);

if ($cancel)
{
   redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}

用户也可直接升级到phpBB 2.0.5。(hutuworm编译)

来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/10752019/viewspace-981469/,如需转载,请注明出处,否则将追究法律责任。

请登录后发表评论 登录
全部评论
  • 博文量
    3984
  • 访问量
    7338864