lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20040128153944.61752.qmail@web25106.mail.ukl.yahoo.com>
Date: Wed, 28 Jan 2004 15:39:44 +0000 (GMT)
From: Shaun Colley <shaunige@...oo.co.uk>
To: bugtraq@...urityfocus.com
Subject: phpBB privmsg.php XSS vulnerability patch.


For those who have not yet installed the phpBB
packages fixing the XSS vulnerability in privmsg.php
documented at <http://www.securityfocus.com/bid/9290>
and the groupcp.php vulnerability, or for those who do
not want to download the new packages, the following
patches can be quickly and easily applied to patch the
vulnerabilities:


---CUT---
--- privmsg.php	2003-07-20 11:42:23.000000000 -0400
+++ privmsg.1.php	2004-01-27 13:58:41.000000000 -0500
@@ -58,6 +58,7 @@
 if ( isset($HTTP_POST_VARS['folder']) ||
isset($HTTP_GET_VARS['folder']) )
 {
 	$folder = ( isset($HTTP_POST_VARS['folder']) ) ?
$HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder'];
+$folder = htmlspecialchars($folder);
 
 	if ( $folder != 'inbox' && $folder != 'outbox' &&
$folder != 'sentbox' && $folder != 'savebox' )
 	{
@@ -102,6 +103,7 @@
 if ( !empty($HTTP_POST_VARS['mode']) ||
!empty($HTTP_GET_VARS['mode']) )
 {
 	$mode = ( !empty($HTTP_POST_VARS['mode']) ) ?
$HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
+	$mode = htmlspecialchars($mode);
 }
 else
 {
---CUT---

Apply the patch:

patch privmsg.php phpbb2-xss.patch



And:


---CUT---
--- groupcp.php	2004-01-27 15:14:46.000000000 -0500
+++ groupcp.1.php	2004-01-27 15:11:10.000000000 -0500
@@ -22,6 +22,7 @@
 
 define('IN_PHPBB', true);
 $phpbb_root_path = './';
+$memberval = intval($members[$i]);
 include($phpbb_root_path . 'extension.inc');
 include($phpbb_root_path . 'common.'.$phpEx);
 mem
@@ -137,6 +138,7 @@
 if ( isset($HTTP_POST_VARS['mode']) ||
isset($HTTP_GET_VARS['mode']) )
 {
 	$mode = ( isset($HTTP_POST_VARS['mode']) ) ?
$HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
+	$mode = htmlspecialchars($mode);
 }
 else
 {
@@ -590,7 +592,7 @@
 					$sql_in = '';
 					for($i = 0; $i < count($members); $i++)
 					{
-						$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
$members[$i];
+						$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
$memberval;
 					}
 
 					if ( isset($HTTP_POST_VARS['approve']) )
---CUT---


Apply the patch:

patch groupcp.php phpbb2-groupcp.patch



Applying the above patches will fix the phpBB2
privmsg.php XSS vulnerability, and the input
validation error vulnerability in the groupcp.php
script.



Thank you for your time.
Shaun.

________________________________________________________________________
BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 http://btyahoo.yahoo.co.uk

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ