... which allows attackers to register with Administrator privileges by "setting the values of certain variables to contain certain characters." (Nice of them not to spell-out how to implement the hack.)
Attackers can then wreck all manner of ugliness.
I discovered the vulnerability last night, but couldn't implement the fix, cuz other mods I've installed had modified the original source code of the files I needed to patch (register.pl + profile.pl).
The patch searched for (some of) the flawed code, but couldn't find it, cuz it had been modified by another mod. Actually, the first 8 steps proceeded fine. Only the 9th and final step errored. But unless the entire fix can be implemented, the patch refuses to install.
At 11PM last night, I was tired and not thinking clearly, so I disabled the registration feature (to help mitagate the vulnerability) and went to bed.
••••• today's entry continues below •••••
Early this morning, I modified the (two) source files by hand (which suks), and implemented the patch. Then I re-enabled & tested the registration feature, which appears to be working fine.
Normally, "mods" to the forum (which add cool features) are done with a nifty program called BoardMod, which uses a *.mod file (written by someone with coding skills) to search for for snippets of code, which it then replaces (with new code), or adds new code in specific places .. all with a single click.
All that remains is for you to upload the modified file(s) to your server. Pretty cool.
Problem is .. the more mods you add (and we've added a handful), the less like your source code looks like the original files. So when BoardMod searches for original snippets of code, it can't find them.
Anyway, the forum has been patched, registration re-enabled, and civilization as we know it returned from the brink of disaster.