Mail2Forum Forum Index Mail2Forum
Mail2Forum (or M2F) is an add-on software to the phpBB forum system. M2F combines the functionality of a mailing list system and a phpBB forum in order to add bi-directional 'email to forum' and 'forum to email' communication.
 
 DocumentationDocumentation   Forum SubscriptionsForum Subscriptions   FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Important Security Update - m2f v1.2.1

 
Post new topic   Reply to topic    Mail2Forum Forum Index -> Announcements
View previous topic :: View next topic  
Author Message
georgec
Site Admin


Joined: 16 Oct 2003
Posts: 1461
Location: London, UK
PostPosted: Wed Jul 19, 2006 00:19    Post subject: Important Security Update - m2f v1.2.1 Reply with quote
Important information for all users of Mail2Forum

A security vulnerability has been brought to our attention today (19th July 2006). We have released a new set of files which will hopefully fix the problem. All users are urged to upgrade immediately - the vulnerability is serious and has already resulted in several websites being defaced.

Thanks to m2f users subtlecoolness, peterflorance, hardym, fgomez and others (including some nice anonymous people Wink) for their discussion which brought this to our attention!


More Information:

On July 18th we stumbled upon a security vulnerability warning in our support forum (see the discussion topic). A global variable was not being properly checked before use, and thus it opened a hole that permitted arbitrary remote php file execution. This vulnerability has also been registered in the secunia database: http://secunia.com/advisories/21083/.

The vulnerability affects all previous versions of m2f released to date (19th July 2006), including the most recent Stable Release of v1.2. ALL users are strongly advised to upgrade immediately.



>>> Download Link <<<


N.B. that this upgrade requires two steps:

1 - upload the m2f files to the phpBB directory as normal, wiping over the existing copies.
2 - make the following modification to the file phpBB_root/common.php:

[FIND ]
Code:
// Begin M2F ----------------------------------------------
if (isset($ModName)) 

  $phpbb_root_path = './modules/' . $ModName . '/'; 

$m2f_root_path = $phpbb_root_path.'m2f/'; 
require_once($m2f_root_path. 'm2f_phpbb204.php'); 
// End M2F ----------------------------------------------


[ REPLACE WITH ]
Code:
// Begin M2F ----------------------------------------------
if (isset($ModName)) $phpbb_root_path = './modules/' . $ModName . '/';
define('M2F_ROOT_PATH', $phpbb_root_path.'m2f/');
require_once(M2F_ROOT_PATH. 'm2f_phpbb204.php');
// End M2F ------------------------------------------------
 
Back to top
View user's profile Send private message
georgec
Site Admin


Joined: 16 Oct 2003
Posts: 1461
Location: London, UK
PostPosted: Wed Jul 19, 2006 13:00    Post subject: Reply with quote
Note that the [ REPLACE WITH ] part above has been changed since it was first posted - phpBB was corrupting the tab characters I was posting. Please re-apply the modification to common.php if you are experiencing problems.

Sorry once again for the annoyance!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Mail2Forum Forum Index -> Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Get mail2forum at SourceForge.net. Fast, secure and Free Open Source software downloads