[41390] in bugtraq
Re: phpBB Code EXEC (v2.0.10)
daemon@ATHENA.MIT.EDU (Ron van Daal)
Mon Nov 28 18:36:08 2005
Date: Mon, 28 Nov 2005 21:35:31 +0100 (CET)
From: Ron van Daal <ronvdaal@n1x.nl>
To: deane10@sbcglobal.net
Cc: bugtraq@securityfocus.com
In-Reply-To: <20051127234715.5959.qmail@securityfocus.com>
Message-ID: <20051128213036.B85830@zarathustra.linux666.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Version 2.0.10 ??? Did you also tried the -latest- phpBB ???
This issue has been reported multiple times and finally resolved over half a year ago. The last known code-injection bug regarding the hilighting code was fixed in phpBB version 2.0.16.
Grt,
Ron
On Mon, 27 Nov 2005 deane10@sbcglobal.net wrote:
> Add these into the mod_security rules:
>
> SecFilterSelective ARG_highlight "(\x27|%27|\x2527|%2527)"
> SecFilterSelective THE_REQUEST "\x27|%27|\x2527|%2527"
>
> issue resolved...
>
