請問這是真的嗎?
2.0.15有必要做這修正?
thx
[討論] 2.0.15有bug???
版主: 版主管理群
版面規則
本區是討論關於 phpBB 2.0.X 架設安裝上的問題,只要有安裝任何外掛,請到外掛討論相關版面按照公告格式發表。
(發表文章請按照公告格式發表,違者砍文)
本區是討論關於 phpBB 2.0.X 架設安裝上的問題,只要有安裝任何外掛,請到外掛討論相關版面按照公告格式發表。
(發表文章請按照公告格式發表,違者砍文)
-
yll
- 星球公民
- 文章: 149
- 註冊時間: 2002-09-08 15:26
- 來自: http://www.yll.url.tw/
- 聯繫:
Re: [討論] 2.0.15有bug???
phpBB 的開發員將會在這一兩天內對此做出公開說明
我可以先在這邊跟大家說,此為 DOS Attack,也就是說這並不是用程式語言就可以擋住的攻擊,如果主機的管理員擔心主機被 DOS Attack(不管是不是經由 phpBB 或任何對外公佈的網頁)就應該從 server 上的維護做起。至於該如何防範 DOS Attack,請自行搜尋 Google
~Mac
這應該不是騙人的吧\r
OL3 是 自由軟體技術交流網 的站長\r
那個站算是台灣 Linux 社群的一個入口網站
在這邊也有報導出來:
http://freesf.tnc.edu.tw/modules/news/a ... oryid=1981
文章中提到:
發文者建議使用者立刻修正這個漏洞
但是目前解決方法只有提到:關閉註冊及搜尋
註冊和搜尋,都是論壇很重要的功能\r
都關閉的話,等於論壇也不必開了
不知道何時才會真正的修正方法出來...
OL3 是 自由軟體技術交流網 的站長\r
那個站算是台灣 Linux 社群的一個入口網站
在這邊也有報導出來:
http://freesf.tnc.edu.tw/modules/news/a ... oryid=1981
文章中提到:
且警告等級是:高危險!!!phpBB2 在 2.0.15(含) 及之前的版本有一高度危險的漏洞,攻擊者可利用 profile.php 及 search.php 來進行大量新增帳號以及 DOS 的攻擊。
發文者建議使用者立刻修正這個漏洞
但是目前解決方法只有提到:關閉註冊及搜尋
註冊和搜尋,都是論壇很重要的功能\r
都關閉的話,等於論壇也不必開了
不知道何時才會真正的修正方法出來...
大家都是抄來抄去,又不是真的有去測試當初報告此『漏洞』的正確性\rlinux_xp 寫:在這邊也有報導出來:
http://freesf.tnc.edu.tw/modules/news/a ... oryid=1981
如果大家有興趣,應該是看看原始來源: http://www.securiteam.com/exploits/5QP0M0UG0A.html
不過,這種網站應該是沒有人在檢查提供的文章的正確性吧,所以看到的人要不要相信,就自己判斷吧,反正,我也說了 phpBB 會有人正式對此做說明
~Mac
http://www.phpbb.com/phpBB/viewtopic.ph ... 68#1637368
Posted: Sun Jun 26, 2005 11:53 pm Post subject: DoS scripts circulating
--------------------------------------------------------------------------------
A number of people have brought to our attention reports of vulnerabilities in phpBB that are circulating on a number of sites at present.
We have looked into these reports and from what we can determine, these are simple DoS (denial of service) attacks which cause problems purely by the number of requests sent to the site in a very short space of time. There is no actual vulnerability in phpBB that is being targetted by this "exploit" code.
You can help to prevent automated registrations on your forum by enabling visual confirmation from the General Configuration page of your administation panel which will ensure that these members are not actually registered. This will also help to mitigate against registration spammers as well.
We also took steps in 2.0.15 to prevent some searches being run by altering the search so that only those words which were long enough to be indexed (3 characters or higher by default) were searched, additionally preventing wildcard-only searches.
Can I also emphasise once again the point that if you believe that you have found a security issue in phpBB, please report it to us via our security tracker to ensure that it goes to the correct people to look at. Please do not post this sort of thing to the forum or to security mailing lists, where it can often lead to much confusion among other users without reporting it to us first and allowing us a reasonable amount of time to look at it and respond.
~Mac
Posted: Sun Jun 26, 2005 11:53 pm Post subject: DoS scripts circulating
--------------------------------------------------------------------------------
A number of people have brought to our attention reports of vulnerabilities in phpBB that are circulating on a number of sites at present.
We have looked into these reports and from what we can determine, these are simple DoS (denial of service) attacks which cause problems purely by the number of requests sent to the site in a very short space of time. There is no actual vulnerability in phpBB that is being targetted by this "exploit" code.
You can help to prevent automated registrations on your forum by enabling visual confirmation from the General Configuration page of your administation panel which will ensure that these members are not actually registered. This will also help to mitigate against registration spammers as well.
We also took steps in 2.0.15 to prevent some searches being run by altering the search so that only those words which were long enough to be indexed (3 characters or higher by default) were searched, additionally preventing wildcard-only searches.
Can I also emphasise once again the point that if you believe that you have found a security issue in phpBB, please report it to us via our security tracker to ensure that it goes to the correct people to look at. Please do not post this sort of thing to the forum or to security mailing lists, where it can often lead to much confusion among other users without reporting it to us first and allowing us a reasonable amount of time to look at it and respond.
~Mac
請問是什麼意思?Mac 寫:http://www.phpbb.com/phpBB/viewtopic.ph ... 68#1637368
Posted: Sun Jun 26, 2005 11:53 pm Post subject: DoS scripts circulating
--------------------------------------------------------------------------------
恕刪
~Mac
感謝
PHPBB:2.0.20
OS:LINUX
風格: ICG
快速程式:無
上網方式:Hinet 8m/640
架設環境:竹貓空間
OS:LINUX
風格: ICG
快速程式:無
上網方式:Hinet 8m/640
架設環境:竹貓空間