From owner-freebsd-ports-bugs@FreeBSD.ORG Sat May 1 10:20:18 2004 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B7DF516A4CE for ; Sat, 1 May 2004 10:20:18 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D0DC43D41 for ; Sat, 1 May 2004 10:20:18 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i41HKI17087264 for ; Sat, 1 May 2004 10:20:18 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.11/8.12.11/Submit) id i41HKIfw087255; Sat, 1 May 2004 10:20:18 -0700 (PDT) (envelope-from gnats) Resent-Date: Sat, 1 May 2004 10:20:18 -0700 (PDT) Resent-Message-Id: <200405011720.i41HKIfw087255@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Xin LI Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C024F16A4D3; Sat, 1 May 2004 10:15:18 -0700 (PDT) Received: from avgw.bjut.edu.cn (avgw.bjut.edu.cn [202.112.78.85]) by mx1.FreeBSD.org (Postfix) with SMTP id 745F243D5E; Sat, 1 May 2004 10:15:08 -0700 (PDT) (envelope-from delphij@frontfree.net) Received: from beastie.frontfree.net ([218.107.145.7]) by avgw.bjut.edu.cn (SAVSMTP 3.1.5.43) with SMTP id M2004050201150121305 ; Sun, 02 May 2004 01:15:02 +0800 Received: from localhost (localhost [127.0.0.1]) by beastie.frontfree.net (Postfix) with ESMTP id 1D9D01160D; Sun, 2 May 2004 01:15:01 +0800 (CST) Received: from beastie.frontfree.net ([127.0.0.1]) by localhost (beastie.frontfree.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00714-04; Sun, 2 May 2004 01:15:00 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 1001) id 0225511602; Sun, 2 May 2004 01:14:56 +0800 (CST) Message-Id: <20040501171456.0225511602@beastie.frontfree.net> Date: Sun, 2 May 2004 01:14:56 +0800 (CST) From: Xin LI To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 cc: Kang LIU cc: portmgr@FreeBSD.org Subject: ports/66150: [PATCH] SECURITY UPDATE ports/www/phpbb for IP spoofing vulnerablity X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Xin LI List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 May 2004 17:20:18 -0000 >Number: 66150 >Category: ports >Synopsis: [PATCH] SECURITY UPDATE ports/www/phpbb for IP spoofing vulnerablity >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sat May 01 10:20:17 PDT 2004 >Closed-Date: >Last-Modified: >Originator: Xin LI >Release: FreeBSD 5.2-CURRENT i386 >Organization: The FreeBSD Simplified Chinese Project >Environment: System: FreeBSD beastie.frontfree.net 5.2-CURRENT FreeBSD 5.2-CURRENT #33: Mon Apr 26 15:10:21 CST 2004 delphij@beastie.frontfree.net:/usr/obj/usr/src/sys/BEASTIE i386 >Description: There is an IP spoofing vulnerablity exists in phpBB (up to and including the latest 2.0.8a) as described here: http://www.vuxml.org/freebsd/cfe17ca6-6858-4805-ba1d-a60a61ec9b4d.html The attached patch pulled fixes obtained from phpBB's CVS repository. This is a good candidate for upcoming 4.10-RELEASE's ports collection. If it is considered to be appropriate, please slip the tag as well. >How-To-Repeat: >Fix: Apply the attached patch against the ports tree: --- patch-phpbb begins here --- Index: Makefile =================================================================== RCS file: /home/ncvs/ports/www/phpbb/Makefile,v retrieving revision 1.22 diff -u -r1.22 Makefile --- Makefile 30 Mar 2004 21:33:25 -0000 1.22 +++ Makefile 1 May 2004 16:50:03 -0000 @@ -7,7 +7,7 @@ PORTNAME= phpbb PORTVERSION= 2.0.8 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} Index: files/patch-common.php =================================================================== RCS file: files/patch-common.php diff -N files/patch-common.php --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ files/patch-common.php 1 May 2004 16:51:23 -0000 @@ -0,0 +1,104 @@ +--- common.php:1.74.2.10 Wed Jun 4 10:41:39 2003 ++++ common.php Wed Apr 21 05:18:02 2004 +@@ -6,8 +6,7 @@ + * copyright : (C) 2001 The phpBB Group + * email : support@phpbb.com + * +- * $Id: common.php,v 1.74.2.10 2003/06/04 17:41:39 acydburn Exp $ +- * ++ * $Id: common.php,v 1.74.2.11 2004/04/21 12:18:02 psotfx Exp $ + * + ***************************************************************************/ + +@@ -25,9 +24,44 @@ + die("Hacking attempt"); + } + ++// ++function unset_vars(&$var) ++{ ++ while (list($var_name, $null) = @each($var)) ++ { ++ unset($GLOBALS[$var_name]); ++ } ++ return; ++} ++ ++// + error_reporting (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables + set_magic_quotes_runtime(0); // Disable magic_quotes_runtime + ++$ini_val = (@phpversion() >= '4.0.0') ? 'ini_get' : 'get_cfg_var'; ++ ++// Unset globally registered vars - PHP5 ... hhmmm ++if (@$ini_val('register_globals') == '1' || strtolower(@$ini_val('register_globals')) == 'on') ++{ ++ $var_prefix = (phpversion() >= '4.3.0') ? '' : 'HTTP'; ++ $var_suffix = (phpversion() >= '4.3.0') ? '' : '_VARS'; ++ ++ if(is_array(${$var_prefix . '_GET' . $var_suffix})) ++ { ++ unset_vars(${$var_prefix . '_GET' . $var_suffix}); ++ } ++ ++ if(is_array(${$var_prefix . '_POST' . $var_suffix})) ++ { ++ unset_vars(${$var_prefix . '_POST' . $var_suffix}); ++ } ++ ++ if(is_array(${$var_prefix . '_COOKIE' . $var_suffix})) ++ { ++ unset_vars(${$var_prefix . '_COOKIE' . $var_suffix}); ++ } ++} ++ + // + // addslashes to vars if magic_quotes_gpc is off + // this is a security precaution to prevent someone +@@ -106,6 +140,7 @@ + $theme = array(); + $images = array(); + $lang = array(); ++$nav_links = array(); + $gen_simple_header = FALSE; + + include($phpbb_root_path . 'config.'.$phpEx); +@@ -126,32 +161,12 @@ + // + // Obtain and encode users IP + // +-if( getenv('HTTP_X_FORWARDED_FOR') != '' ) +-{ +- $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR ); +- +- $entries = explode(',', getenv('HTTP_X_FORWARDED_FOR')); +- reset($entries); +- while (list(, $entry) = each($entries)) +- { +- $entry = trim($entry); +- if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, $ip_list) ) +- { +- $private_ip = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/', '/^10\..*/', '/^224\..*/', '/^240\..*/'); +- $found_ip = preg_replace($private_ip, $client_ip, $ip_list[1]); +- +- if ($client_ip != $found_ip) +- { +- $client_ip = $found_ip; +- break; +- } +- } +- } +-} +-else +-{ +- $client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR ); +-} ++// I'm removing HTTP_X_FORWARDED_FOR ... this may well cause other problems such as ++// private range IP's appearing instead of the guilty routable IP, tough, don't ++// even bother complaining ... go scream and shout at the idiots out there who feel ++// "clever" is doing harm rather than good ... karma is a great thing ... :) ++// ++$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR ); + $user_ip = encode_ip($client_ip); + + // --- patch-phpbb ends here --- >Release-Note: >Audit-Trail: >Unformatted: