Announcement

Collapse
No announcement yet.

regarding the "no forum specified error"

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    I would *highly recommend* removing that second line. They have file uploads turned off until they can patch PHP and doing that is circumventing them, leaving you (and in turn their server) open for attack. The first line should be all you need to run vBulletin (albeit without file uploads for the time being).

    Comment


    • #17
      My e-mail to my webhost:

      You may have just installed a pHp security patch. There's only one problem.

      Every vBulletin forum is now broken because of this update.

      Part of the patch turned off register_globals, which renders the vBulletin software dead.

      A post from the vBulletin folks here:

      http://www.vbulletin.com/forum/showt...threadid=40721

      Can you please turn register_globals back on temporarily until vBulletin can post a fix?


      Their reply:

      The folks at vbulletin.com are misinformed about the PHP problem.
      We did not turn off register_globals .... we only turned off
      file_uploads. You can confirm the PHP settings by visiting

      http://s21.route66.net/test.php

      Comment


      • #18
        Ed Sullivan posted:
        Also, although I've only done a quick skim, some people may need to remove the following from at least the newthread/newreply/editpost templates:

        enctype="multipart/form-data"
        Thank you. I hope they fix php very soon because you really need to remove this line from ANYWHERE That has uploads, including uploading avatars, private messages, etc.

        Comment


        • #19
          Originally posted by shellx
          I also am hosted with pair networks (www.cavbooks.com), and I tried both the patches but they didn't work. I ended up having to create a .htaccess file which contained the following:

          php_flag register_globals on
          php_flag file_uploads on

          After adding the second line this worked! I hope this will help other pair networks users.
          Same thing for me, doesn't work without that 2nd line.

          Comment


          • #20
            sorry, but this is the wrong thing to do.

            by doing that you're exposing your site, the hosts server, and numerous other sites on that server to the security risk.

            have you not read the details? do you not realise that there is a few attacks in circulation... hence the action your host has taken to protect you and them?

            if your host did something to potential allow a malicious person from attacking your site and potentially causing data loss and grief.. then you'd freak out... yet this is what you are doing by enabling uploads whilst this vunerability exists.

            check phpinfo() and when the version is adequate, or you can gauge evidence that the appropriate patch is applied... THEN and only then allow file uploads.

            in the meantime do a search on the templates and comment out the multipart references (just move them one line up and inside a HTML comment for now), and then using your control panel... restrict file uploads of avatars and attachments.

            don't risk your whole site for the sake of uploading a new avatar, it's not worth it. just remember what it's like to rebuild the thing, and then don't do it.

            cheers

            david k
            London Fixed-gear and Single-speed

            Comment


            • #21
              Originally posted by buro9
              by doing that you're exposing your site, the hosts server, and numerous other sites on that server to the security risk.
              I whole-heartly agree... if you host has turned off file_uploads to protect against this, then DO NOT enable this manually, you are leaving the entire server up for attack. If you need to get uploads working again, then ask you host to upgrade to PHP 4.1.2 (or apply the patches for their version) ASAP.

              Comment


              • #22
                Originally posted by feldon23
                Part of the patch turned off register_globals, which renders the vBulletin software dead.
                We did not say that the patch turns register_globals off. We said that a lot of hosts are manually turning it off despite it not being part of the security alert. For those who have hosts that did turn it off they will need to have them turn it back on or follow Ed's instructions for creating an .htaccess file to turn it on for your vB.

                Comment


                • #23
                  I have a question.....

                  Is this security vunerabilty something that just happened? Or is it something that has existed ever since PHP was created, and only now they have discovered it? If the latter is the case, then what the big concern about hacking all of a sudden, if people could have been doing it all along?

                  Comment


                  • #24
                    It is in PHP3 and PHP4 up to PHP4.1.1. There could have been hacking all along but it was only just publicized so unless script kiddies discovered this on their own chances are they have not been exploiting it.

                    Comment


                    • #25
                      Ok I guess some of you are busy working out a solution.

                      However, we are on a dedicated host so it's up to us to configure things as they are.

                      We already have all kinds of uploading via vB off via the Admin CP (Avatar, attachments).

                      So my question is if we have php 4.0.6, should we apply the patch, or wait till a final resolution is found?

                      If we have not applied the patch, should we still patch the templates to take out the lines

                      enctype="multipart/form-data"

                      Some clarification would be appreciated and perhaps some multiple threads could be deleted as it is getting diff. to figure out which post is most relevant to a solution. Thanks!

                      Comment


                      • #26
                        Also nowhere on PHP.net do I see instructions on how to apply the patch. Anyone know how this patch is applied on Linux servers? Thx .

                        Comment


                        • #27
                          Originally posted by ubbuser
                          Also nowhere on PHP.net do I see instructions on how to apply the patch. Anyone know how this patch is applied on Linux servers? Thx .
                          I noticed the same thing. Unfortunastely on my server PHP is installed an an Apache module which means I need to recompile Apache with the upgraded PHP. I have no idea how to do that and am afraid of breaking my web server. (Actually I do have an idea, but too many things can go wrong!)
                          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
                          Change CKEditor Colors to Match Style (for 4.1.4 and above)

                          Steve Machol Photography


                          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


                          Comment


                          • #28
                            Ugh I hope I do not have to recompile Apache with the patched PHP since I too am running php as a module

                            Smachol: I have uploads turned off via admin cp, but the php.ini allows file uploads. I have not patched Php 4.0.6 yet. The question I have is if I should still edit the templates to remove the

                            enctype="multipart/form-data"

                            parts out of relevant templates. We are not using uploading feature anyways.

                            Comment


                            • #29
                              Also, if I am not using the file upload feature in vB for attachments, avatars etc, is it just possible for me to turn of php's upload feature via the php.ini file?

                              ; Whether to allow HTTP file uploads.
                              file_uploads = On

                              ^^^ Change the above to Off ? Any probs with this? Thx.

                              Comment


                              • #30
                                PHP Security & Exploit



                                Check out the URL above.. neat discussions going on about this prob.

                                Full Advisory...


                                This is a very high impact vulnerability, mod_php is the worlds most popular Apache module, maybe the most popular web script language. (no flamewars intended, it IS popular among a lot of people whether you like it or not).

                                However, one line in the config (php.ini) should according to php.net disable the vulnerability :

                                file_uploads = off

                                (restart apache web server.)

                                (When tested phpinfo(); gives "no value" at my site)

                                (Patch install

                                One file needs to be patched for all PHP versions, get the patch here :

                                php.net/downloads.php [php.net]

                                Patch like this:

                                1. Enter ../src/php-4.0.x/main dir
                                2. patch < pathtodiffile/rfc1867.c.diff-4.0.6
                                3. build either the DSO module or build apache with static php
                                Last edited by ubbuser; Thu 28 Feb '02, 11:04pm.

                                Comment

                                widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                                Working...
                                X