IntegraMOD

I just received this email from the administrators of phpBB-TweakS. There is a security warning for boards with Blend Portal System OR Activity Mod installed.

Just for your information...

sanji

It has come to my attention that Blend has a security issue. If you have Blend
Portal System OR Activity Mod installed, please disable your board or uninstall
these mods for the time being and do the file edit that I have listed below.
Here are a list of IPs that you need to ban from your site as well.

85.107.151.110, 84.112.100.97, 84.112.100.97, 200.112.130.69, 87.97.213.154,
211.66.110.157, 201.29.218.185, 195.93.60.97, 202.133.82.69, 70.136.76.25,
212.104.107.114, 157.142.200.121, 200.243.242.123, 166.111.249.39,
85.104.25.166, 85.14.214.4

These are known IPs that have used a script to infect sites with trojans via a
file in blend.
Open:
blend_data/blend_common.php

FIND

define('BLEND_DATA_PATH', 'blend_data/');

BEFORE, ADD

if (!defined('IN_PHPBB'))
die('Hack Attempt');

CLOSE & SAVE

I will release a fix for these issues ASAP.

I apologize for this huge inconvenience.

edit by found it--please read my post 2 post down for fix

File edit different for Acitvity Mod Plus?

blend_common.php does not exist

Sorry, I can't help, I am not using Activity Mod. But since people do on this forum, I thought the admin might be interested...

Sorry not to be not more useful,

sanji

[size=99px]For anyone using the activity mod plus mod the code fixes are found here[/font][/size]

http://phpbb-tweaks.com/topics.html-p-17622#17622

[size=99px]please do the 2 file edits asap...[/font][/size]

"found it";p="7713" wrote:[size=99px]For anyone using the activity mod plus mod the code fixes are found here[/font][/size]

http://phpbb-tweaks.com/topics.html-p-17622#17622

[size=99px]please do the 2 file edits asap...[/font][/size]

ty

"austin" wrote:Just an FYI, there are quite a few other mods with these same issues (i dont know if their authors have released fixes or not), so keep your eyes open for changes in your site.

Any clue which other mods or what to look for in other mods not mentioned?

If I look in some of my lang files, most of them do not have the code

Code: Select all

if ( !defined('IN_PHPBB') ){     die("Hacking attempt") ;}

in them. Only the lang extend files have this code in them.

My question is now, is it necessary to put this code in the lang files

"obiku";p="7792" wrote:If I look in some of my lang files, most of them do not have the code

Code: Select all

if ( !defined('IN_PHPBB') ){     die("Hacking attempt") ;}

in them. Only the lang extend files have this code in them.

My question is now, is it necessary to put this code in the lang files

Good question, hopefully one of the "experts" will tune in.

"obiku";p="7792" wrote:If I look in some of my lang files, most of them do not have the code

My question is now, is it necessary to put this code in the lang files

I am not absolutely sure, but I think there is no need to have this code in the language files. They only contains list of words, and no function, and do not connect with the database...

sanji

Correct! <img>

"Michaelo";p="7941" wrote:

"sanji";p="7917" wrote:

"obiku";p="7792" wrote:If I look in some of my lang files, most of them do not have the code

My question is now, is it necessary to put this code in the lang files

I am not absolutely sure, but I think there is no need to have this code in the language files. They only contains list of words, and no function, and do not connect with the database...

sanji

Correct! <img>

http://phpbb-tweaks.com/topics.html-p-17622#17622

Aren't those lang files in the Activity Mod Plus fix?
Are you saying the fix is not needed then?

"Solomon";p="7943" wrote:

"Michaelo";p="7941" wrote:http://phpbb-tweaks.com/topics.html-p-17622#17622

Aren't those lang files in the Activity Mod Plus fix?
Are you saying the fix is not needed then?

Very interresting question. There are no functions in the lang_activity.php and lang_activity_char.php, but austin said to put this code

Code: Select all

if ( !defined('IN_PHPBB') ) {    die("Hacking attempt") ; }

in them. I only see an include in the lang_activity.php, but is only includes the lang_activity_char.php in witch no function appears or a connection to the database???

IN_PHPBB - This constant is set to prevent cross-site script hacks that could potentially exploit the database. User facing files (files intended to be called by the user like index.php and viewtopic.php) define this constant. Non-user facing files (not intended to be called by users, such as db.php and common.php) check to make sure this constant is set thereby disallowing direct execution of these files. IN_PHPBB should be the first thing handled in most files. MODs must...

1. Define IN_PHPBB in user facing files using this syntax:

Code: Select all

        define('IN_PHPBB', true);  

2. Check for IN_PHPBB in non-user facing files with this code]         if ( !defined('IN_PHPBB') )       {          die("Hacking attempt");       }  [/code]
...technically, the check is not required in non-user facing files that contain ONLY functions (like functions.php). If any global variables, requires(), constant definitions, or code outside of a function is present then checking for IN_PHPBB is absolutely required.

You can find the rest of the article [url=http]HERE[/url]

Update: Facing files = file called directly by the user... language files are not called by the user neither do they contain functions so I dont know why there is a need to add the check but it doesnt hurtà¢Ãƒ ¢Ã¢â‚¬Å¡Ã‚ ¬Ãƒâ€šÃ‚ ¦

"obiku";p="7957" wrote:[quote=&quot;Solomon&quot;;p=&quot;7943&quot;]

"Michaelo";p="7941" wrote:http://phpbb-tweaks.com/topics.html-p-17622#17622

Aren't those lang files in the Activity Mod Plus fix?
Are you saying the fix is not needed then?

Very interresting question. There are no functions in the lang_activity.php and lang_activity_char.php, but austin said to put this code

Code: Select all

if ( !defined('IN_PHPBB') ) {    die("Hacking attempt") ; }

in them. I only see an include in the lang_activity.php, but is only includes the lang_activity_char.php in witch no function appears or a connection to the database???

So Austin probably just wanted to be on the safer than sorry side of the lang_activity files?

[quote=""Michaelo";p="7989""]
IN_PHPBB - This constant is set to prevent cross-site script hacks that could potentially exploit the database. User facing files (files intended to be called by the user like index.php and viewtopic.php) define this constant. Non-user facing files (not intended to be called by users, such as db.php and common.php) check to make sure this constant is set thereby disallowing direct execution of these files. IN_PHPBB should be the first thing handled in most files. MODs must...

1. Define IN_PHPBB in user facing files using this syntax]         define('IN_PHPBB', true);  [/code]
2. Check for IN_PHPBB in non-user facing files with this code:

Code: Select all

        if ( !defined('IN_PHPBB') )       {          die("Hacking attempt");       }  

...technically, the check is not required in non-user facing files that contain ONLY functions (like functions.php). If any global variables, requires(), constant definitions, or code outside of a function is present then checking for IN_PHPBB is absolutely required.

You can find the rest of the article [url=http]HERE[/url]

Update]
Thanks for the article

I guess so unless there is something we are not aware of.