- Plug IP spoofing vulnerablity

http://www.vuxml.org/freebsd/cfe17ca6-6858-4805-ba1d-a60a61ec9b4d.html - Plug sessions table exhaustion DoS attack http://www.securityfocus.com/archive/1/360931 PR: ports/66150 Submitted by: Xin LI <delphij@frontfree.net> (maintainer)
author: Pav Lucistnik <pav@FreeBSD.org> 2004-05-06 10:07:06 +0000
committer: Pav Lucistnik <pav@FreeBSD.org> 2004-05-06 10:07:06 +0000
commit: 802504d61cc567f570134e6b912f56bf6be88911 (patch)
tree: 10d271484a564722883b9bc9988f6d466c5819aa /www/phpbb
parent: Add a patch to fix compilation on recent versions of gcc, (diff)
3 files changed, 123 insertions, 1 deletions
diff --git a/www/phpbb/Makefile b/www/phpbb/Makefile
index fc6179e74509..279fc1018614 100644
--- a/www/phpbb/Makefile
+++ b/www/phpbb/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	phpbb
 PORTVERSION=	2.0.8
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
diff --git a/www/phpbb/files/patch-common.php b/www/phpbb/files/patch-common.php
new file mode 100644
index 000000000000..a796174c73ee
--- /dev/null
+++ b/www/phpbb/files/patch-common.php
@@ -0,0 +1,104 @@
+--- common.php:1.74.2.10	Wed Jun  4 10:41:39 2003
++++ common.php	Wed Apr 21 05:18:02 2004
+@@ -6,8 +6,7 @@
+  *   copyright            : (C) 2001 The phpBB Group
+  *   email                : support@phpbb.com
+  *
+- *   $Id: common.php,v 1.74.2.10 2003/06/04 17:41:39 acydburn Exp $
+- *
++ *   $Id: common.php,v 1.74.2.11 2004/04/21 12:18:02 psotfx Exp $
+  *
+  ***************************************************************************/
+ 
+@@ -25,9 +24,44 @@
+ 	die("Hacking attempt");
+ }
+ 
++//
++function unset_vars(&$var)
++{
++	while (list($var_name, $null) = @each($var))
++	{
++		unset($GLOBALS[$var_name]);
++	}
++	return;
++}
++
++//
+ error_reporting  (E_ERROR | E_WARNING | E_PARSE); // This will NOT report uninitialized variables
+ set_magic_quotes_runtime(0); // Disable magic_quotes_runtime
+ 
++$ini_val = (@phpversion() >= '4.0.0') ? 'ini_get' : 'get_cfg_var';
++
++// Unset globally registered vars - PHP5 ... hhmmm
++if (@$ini_val('register_globals') == '1' || strtolower(@$ini_val('register_globals')) == 'on')
++{
++	$var_prefix = (phpversion() >= '4.3.0') ? '' : 'HTTP';
++	$var_suffix = (phpversion() >= '4.3.0') ? '' : '_VARS';
++
++	if(is_array(${$var_prefix . '_GET' . $var_suffix}))
++	{
++		unset_vars(${$var_prefix . '_GET' . $var_suffix});
++	}
++
++	if(is_array(${$var_prefix . '_POST' . $var_suffix}))
++	{
++		unset_vars(${$var_prefix . '_POST' . $var_suffix});
++	}
++
++	if(is_array(${$var_prefix . '_COOKIE' . $var_suffix}))
++	{
++		unset_vars(${$var_prefix . '_COOKIE' . $var_suffix});
++	}
++}
++
+ //
+ // addslashes to vars if magic_quotes_gpc is off
+ // this is a security precaution to prevent someone
+@@ -106,6 +140,7 @@
+ $theme = array();
+ $images = array();
+ $lang = array();
++$nav_links = array();
+ $gen_simple_header = FALSE;
+ 
+ include($phpbb_root_path . 'config.'.$phpEx);
+@@ -126,32 +161,12 @@
+ //
+ // Obtain and encode users IP
+ //
+-if( getenv('HTTP_X_FORWARDED_FOR') != '' )
+-{
+-	$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
+-
+-	$entries = explode(',', getenv('HTTP_X_FORWARDED_FOR'));
+-	reset($entries);
+-	while (list(, $entry) = each($entries)) 
+-	{
+-		$entry = trim($entry);
+-		if ( preg_match("/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)/", $entry, $ip_list) )
+-		{
+-			$private_ip = array('/^0\./', '/^127\.0\.0\.1/', '/^192\.168\..*/', '/^172\.((1[6-9])|(2[0-9])|(3[0-1]))\..*/', '/^10\..*/', '/^224\..*/', '/^240\..*/');
+-			$found_ip = preg_replace($private_ip, $client_ip, $ip_list[1]);
+-
+-			if ($client_ip != $found_ip)
+-			{
+-				$client_ip = $found_ip;
+-				break;
+-			}
+-		}
+-	}
+-}
+-else
+-{
+-	$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
+-}
++// I'm removing HTTP_X_FORWARDED_FOR ... this may well cause other problems such as
++// private range IP's appearing instead of the guilty routable IP, tough, don't
++// even bother complaining ... go scream and shout at the idiots out there who feel
++// "clever" is doing harm rather than good ... karma is a great thing ... :)
++//
++$client_ip = ( !empty($HTTP_SERVER_VARS['REMOTE_ADDR']) ) ? $HTTP_SERVER_VARS['REMOTE_ADDR'] : ( ( !empty($HTTP_ENV_VARS['REMOTE_ADDR']) ) ? $HTTP_ENV_VARS['REMOTE_ADDR'] : $REMOTE_ADDR );
+ $user_ip = encode_ip($client_ip);
+ 
+ //
diff --git a/www/phpbb/files/patch-includes-sessions.php b/www/phpbb/files/patch-includes-sessions.php
new file mode 100644
index 000000000000..697a1241c6ae
--- /dev/null
+++ b/www/phpbb/files/patch-includes-sessions.php
@@ -0,0 +1,18 @@
+--- includes/sessions.php.orig	Sun Jul 20 17:42:23 2003
++++ includes/sessions.php	Thu May  6 12:02:56 2004
+@@ -147,7 +147,7 @@
+ 		$sql = "INSERT INTO " . SESSIONS_TABLE . "
+ 			(session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in)
+ 			VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login)";
+-		if ( !$db->sql_query($sql) )
++		if ( $user_id != ANONYMOUS && !$db->sql_query($sql) )
+ 		{
+ 			message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
+ 		}
+@@ -380,4 +380,4 @@
+ 	return $url;
+ }
+ 
+-?>
+\ No newline at end of file
++?>
author	Pav Lucistnik <pav@FreeBSD.org>	2004-05-06 10:07:06 +0000
committer	Pav Lucistnik <pav@FreeBSD.org>	2004-05-06 10:07:06 +0000
commit	802504d61cc567f570134e6b912f56bf6be88911 (patch)
tree	10d271484a564722883b9bc9988f6d466c5819aa /www/phpbb
parent	Add a patch to fix compilation on recent versions of gcc, (diff)