Announcement

Collapse
No announcement yet.

re: the PHPBB security issue:

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • re: the PHPBB security issue:

    Regarding this ongoing security issue with PHPBB, which apparently is also affecting vB, and for that matter, any other PHP based product on the server. My host has very recently made a change to their servers to adjust for this problem(see below). Unfortunately, I don't know what to do with vB to resolve the issue. My problem is that avatars, profile pictures, and attachments(pictures) are no longer uploading. What specifically, do I need to change in my vB to resolve this issue, as a result of the change quoted below? Thanks very much.




    -----------------------------------------------------------------------------
    "PHP's default upload_tmp_dir was /tmp, which is no longer world writeable as this is where the worms using the phpBB exploit download their programs to spread. This was necessary to stop our servers from attacking others. Your scripts should not download files to this area anyways as it is not available on all the servers your site is hosted on.

    If you use PHP to upload files, you need to have a custom php.ini. You need to uncomment and edit the upload_tmp_dir variable to point to a directory that is writeable by you, which would be your home directory or a subdirectory inside your home directory. DO NOT change that directories permissions to 777, it is already writeable by your php scripts if it is the default 755.


    ;;;;;;;;;;;;;;;;
    ; File Uploads ;
    ;;;;;;;;;;;;;;;;

    ; Whether to allow HTTP file uploads.
    file_uploads = On

    ; Temporary directory for HTTP uploaded files (will use system default if not
    ; specified).
    upload_tmp_dir = /www/u/username

    ; Maximum allowed size for uploaded files.
    upload_max_filesize = 2M

    Please note that if you are uploading files larger than 2MB's you will also need to change upload_max_filesize.
    "
    ---------------------------------------------------------------------------
    Last edited by TGRS; Tue 28 Dec '04, 9:19am. Reason: correct font size

  • #2
    It looks like your host gave you explicit instruction on what you need to do:

    If you use PHP to upload files, you need to have a custom php.ini. You need to uncomment and edit the upload_tmp_dir variable to point to a directory that is writeable by you, which would be your home directory or a subdirectory inside your home directory. DO NOT change that directories permissions to 777, it is already writeable by your php scripts if it is the default 755.
    What do you need to know?
    Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
    Change CKEditor Colors to Match Style (for 4.1.4 and above)

    Steve Machol Photography


    Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


    Comment


    • #3
      Go to the vBulletin Options > turn on 'use safe_mode on' and set the path to images/temp for the temp dir

      Then with your ftp program create a new dir inside the forum images/ directory called temp and chmod it to 777

      You now have your own tmp dir which vBulletin can use.

      Comment


      • #4
        The purpose of my thread is to confirm with vb whether or not the outlined approach is valid for the vb software, given the fact that this security issue was originally reported as a phpbb issue. As per your reply-post, I assume that this change is appropriate for vb.

        Comment


        • #5
          Here is the info on the effect this worm may have of vB:

          http://www.vbulletin.com/forum/showthread.php?t=124008

          As for your hosts recommendation, I don't see why this wouldn't work for vB if you apply these changes and update the safe mode settings.
          Steve Machol, former vBulletin Customer Support Manager (and NOT retired!)
          Change CKEditor Colors to Match Style (for 4.1.4 and above)

          Steve Machol Photography


          Mankind is the only creature smart enough to know its own history, and dumb enough to ignore it.


          Comment


          • #6
            Nearly every shared hosting solution uses safe_mode ON. This is not something new to web hosting.

            Comment


            • #7
              I'm not sure that the safe mode setting is even required here. I would first just do as the host says and see if it works.

              Comment


              • #8
                Originally posted by Floris
                Go to the vBulletin Options > turn on 'use safe_mode on' and set the path to images/temp for the temp dir

                Then with your ftp program create a new dir inside the forum images/ directory called temp and chmod it to 777

                You now have your own tmp dir which vBulletin can use.
                But why set it to 777 at all? If it doesn't work with 755 then chown the directory to the user the webserver is using. It worked for me on my server.

                Comment


                • #9
                  Originally posted by Icheb
                  But why set it to 777 at all? If it doesn't work with 755 then chown the directory to the user the webserver is using. It worked for me on my server.
                  Good tip.

                  Comment

                  widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                  Working...
                  X