RTH10260 wrote:
Foggy -- are you telling us you are running an insecure message board
(or just DMCA-insecure ?)
Just DMCA-insecure. Non-nerds, you may ignore the rest of this post. For those of you who are :: helpfully :: monitoring my every move to make sure I don't screw up, I submit the following.
From
the release announcement:
Quote:
We are pleased to announce the release of phpBB "Patience is a Virtue" 3.0.8. This new version is a maintenance release fixing a large number of bugs as well as improving on usability and performance. Unfortunately we have also discovered a security issue in the previous version affecting boards which have the flash BBCode enabled - it is disabled by default. On WebKit based browsers like Safari or Chrome, as well as Opera, the flash BBCode can be used to execute javascript causing a cross site scripting vulnerability.
OK, that's a bad thing. And I DID have the flash BBCode enabled, but this morning I disabled it. The release has some lines of code to insert in one of the files if you're going to continue to leave it enabled, but I'm not, so I didn't.
The release continues:
Quote:
This will not fix the problem in already existing posts. In order to scan your board for malicious posts we have created a scanning script. Simply upload it to your phpBB's root directory and access it directly. A new version of the Support Toolkit including this script as well as a tool for reparsing individual posts will be released soon. We will keep you updated.
Downloaded the script and followed the instructions for scanning the board.
Results:
Quote:
Checking post_text on phpbb_posts
No potentially dangerous flash bbcodes found.
Checking message_text on phpbb_privmsgs
No potentially dangerous flash bbcodes found.
Checking user_sig on phpbb_users
No potentially dangerous flash bbcodes found.
Checking forum_desc on phpbb_forums
No potentially dangerous flash bbcodes found.
Checking forum_rules on phpbb_forums
No potentially dangerous flash bbcodes found.
Checking group_desc on phpbb_groups
No potentially dangerous flash bbcodes found.
If potentially dangerous flash bbcodes were found, please reparse the posts using the Support Toolkit (
http://www.phpbb.com/support/stk/) and/or file a ticket in the Incident Tracker (
http://www.phpbb.com/incidents/).
So we're good. I'll do the upgrade on Thanksgiving, because my shop is closed. I'll disable the board while I'm doing it, so we'll be offline for a brief period.
They also released the new STK, and I'll install that after I upgrade the board.
Login
Register
FAQ
smiley in Chat. You can call it :winkadoodlodoo: for all I care, but you can't call it ";)" cause that's already used up for a hug. It's Justin who shows his manhood by using text smileys, like real men did back in the good old days, and would like them to conform to the old standards.
Because of the rooster's early morning crowing, Saint Vitus became known as the Patron Saint Against Oversleeping.
Have you not noticed he's a 
