Seems that phpbb has a huge security risk right now.

were looking to upgrade all copies of phpbb in cpanel to the current version?

We have about 100 or so accounts with it, is there a quick way to do this?

There is no quick way to do this that I know off the top of my head, do your clients want you to upgrade their forums?

we havent given our clients to option to not upgrade. Its a security risk, and needs to be done.

We were just hoping for a quicker way, then to have to upgrade over 100 copies of the same file. manually.

Well you might want to give them a heads-up at least. If they have any custom mods/hacks that they have written/installed it might break these and they would not be happy campers. I am not a phpBB guru, so I can't speak very well to it. I know that I personally would be very upset if my host ugraded my forums without at least warning me first. You could also go the route of letting all your cleints know that they must upgrade their phpBB forums to version x.x.x within one weeks time or their fourms will be removed.

As root run this.

for i in `locate viewtopic.php`; do if grep "htmlspecialchars(urldecode" $i > /dev/null; then chmod 500 $i; echo VULNERABLE: $i; fi; done

This will disable all forums that do not have the patch it will also give you are list of sites that are not patched then if you want you can either (A) patch them yourself one by one (B) Notify all the site owners their forum is down until the make the changes to viewtopic or upgrade or (C) change their viewtopic.php file for them to one that you have modified and uploaded to the server by doing a

cp locationofpatched file to /home/user/location of unpatched file

to match the list the first command gives you of ones that need to be patched.

Either way I would not wait this exploit is getting hit left and right.

can you type up a command like the first one, that will look for all infected versions, but instead just copy over them

You can use sed just to replace a single line in viewtopic.php instead of chmod 0500 ~ Doing a chmod 0500 takes the forum down ~ :penguin:

can someone provide commands to fix these?

for i in `locate viewtopic.php`; do if grep "htmlspecialchars(urldecode" $i > /dev/null; then echo VULNERABLE: $i; fi; done


Will just give you a list of sites.

You can try this one... First patch a viewtopic.pp file and place it soem where.. For instance /home
Then enter this command.

for i in `locate viewtopic.php`; do if grep "htmlspecialchars(urldecode" $i > /dev/null; then cp -f /home/viewtopic.php $i; echo VULNERABLE: $i; fi; done

Note if this messes up your customers forums you are on your own I do not warrant it to work or be free from defects.

I have tested on a test server and it did work but that is as far as I stick my neck out.

my admin installed a sctipt that updated all phpbb installs... Ill ask him when i talk to him later what it is and get a link to it, but it worked great. our server was attacked from it and got unpluged for about a hour becasue of the bug.

Originally posted by Techark
for i in `locate viewtopic.php`; do if grep "htmlspecialchars(urldecode" $i > /dev/null; then echo VULNERABLE: $i; fi; done


Will just give you a list of sites.


Hum seems to report false positives. I have a board I isntalled the patch on and it says it is still vuln. For my sanity sake I checked again it was patched.

Maybe it is detecting soemthing else in there I have the quick reply mod installed with it.

I have tested it again on different servers by placing a bad file and then patching and it detects it while bad and doesn't when patched. So maybe there is something your mod.

I upgraded the phpBB with an update from linux console, and it worked great. For one of my customer I upgrated from Cpanel, and :angry: it changed the forum to the default template :mad: . Next time I will think twice before upgrading from Cpanel :mad:

This should replace the bad code as needed, I think this is the only change to viewtopic.php required, but it would pay to check.

#!/bin/sh
for i in `locate viewtopic.php`
do
if grep "htmlspecialchars(urldecode" $i > /dev/null; then
echo $i >> vulnerable_phpbbs
/usr/bin/replace 'trim(htmlspecialchars(urldecode(' 'trim(htmlspecialchars(' -- $i
fi
done

Finding viewtopic.php and replacing 'trim(htmlspecialchars(urldecode(' with 'trim(htmlspecialchars('

Won't you end up with an extra closing parentheses after that? I don't know anything about this, but it looks to me like you have 3 ('s in the old code and 2 ('s in the replacement code!

Originally posted by Zentity
This should replace the bad code as needed, I think this is the only change to viewtopic.php required, but it would pay to check.

#!/bin/sh
for i in `locate viewtopic.php`
do
if grep "htmlspecialchars(urldecode" $i > /dev/null; then
echo $i >> vulnerable_phpbbs
/usr/bin/replace 'trim(htmlspecialchars(urldecode(' 'trim(htmlspecialchars(' -- $i
fi
done

Finding viewtopic.php and replacing 'trim(htmlspecialchars(urldecode(' with 'trim(htmlspecialchars('

Parse error: parse error, unexpected ')' in /home/username/public_html/dev/forum/viewtopic.php on line 481

If you run the above code you will get this error in viewtopic.php after the above code "patches" viewtopic.php. Use at your own risk.

Yupapa, your phpbb is version 2.0.4. Time to upgrade.
:D
Originally posted by YUPAPA
You can use sed just to replace a single line in viewtopic.php instead of chmod 0500 ~ Doing a chmod 0500 takes the forum down ~ :penguin:

Originally posted by Techark
for i in `locate viewtopic.php`; do if grep "htmlspecialchars(urldecode" $i > /dev/null; then echo VULNERABLE: $i; fi; done


Will just give you a list of sites.

Am I typing something wrong. I run this line from the /home dir and get this error:

grep: locate: No such file or directory
grep: viewtopic.php: No such file or directory


-Stobe

Why not use the tools built in to WHM? If you have a later version of cpanel, go to the cpanel version subsection, choose Addon Modules, check addonupdates, save it, go to Addon subsection, choose addon script manager, and you can search for outdated installs server wide for several different scripts, including phpbb, and choose to upgrade them all, or singularly.

Originally posted by Roy@ENHOST
Yupapa, your phpbb is version 2.0.4. Time to upgrade.
:D

I sometimes upgrade the board without upgrading the version number in the DB. Just being naughty and wanting to waste the time of those trying to be funny :) Not sure if it is the case here.

Originally posted by Roy@ENHOST
Yupapa, your phpbb is version 2.0.4. Time to upgrade.
:D

I patched the viewtopic.php even tho it was still showing 2.0.4
Then, I upgraded the entire BBS in late December ~ :fairy: