 Due to two new discovered vulnerabilities and the release of phpBB 2.0.11 a new attachment mod version has been released.
Please update your Attachment Mod to version 2.3.11 as soon as possible. You are able to use the changed files only package, if you haven't modified any attachment mod files or the patch file package if you are familiar with patch files. For all others the normal package should be sufficient. Please read the provided documentation.
This Mod adds the ability to attach files in phpBB2.
This Version will NOT work with phpBB2 Modules designed for *Nuke Portals. Those working with *Nuke Portals are ports and will be not supported here.
Changes since Version 2.3.10:
* fixed bug in GD/Imagick-Detection (on some installations thumbnailing images did not work)
* Added mysql index to attachment table for larger boards
* updated pre-edited files to be compatible with phpBB 2.0.11
* changed order of uploading files, resulting in hopefully getting the correct filesizes if the server does not allow file access outside the working directory
* added check for config table constant to update script
* fixed overwriting of group_id in admin_groups if Categories Hirarchie mod is installed
* fixed bugs regarding the 4GB limits users experienced
* fixed deletion of thumbnails
* fixed directory traversal injection (high severity) - Paul Laudanski (AKA Zhen-Xjell)
With this an attacker could be able to add/remove/execute files outside of the upload directory
* fixed multiple file extensions vulnerability (high severity) - Jeremy Bae at STG Security, Inc.
Due to the handling of mod_mime on multiple extensions an attacker is able to upload arbitrary script files to the web server.
If you need help, please first look at the Attachment Mod User Guide.
The new paskage can be obtained from:
http://www.phpbb.com/phpBB/catdb.php?mode=download&id=436728 or
http://sourceforge.net/project/showfiles.php?group_id=66311
Tags: Hackers Computers
|
