[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <40185E71.8060009@michealcottingham.com>
Date: Wed, 28 Jan 2004 20:14:25 -0500
From: Micheal Cottingham <micheal@...healcottingham.com>
To: bugtraq@...urityfocus.com
Subject: Re: Fw: phpBB privmsg.php XSS vulnerability patch.
I'm going to regret replying to this as many people seem to abuse
autoresponders and I end up with 50+ emails saying so-and-so is out of
the office ...
If you think you have found a security hole with phpBB, contact the
security email address ... I assure you they won't bite your head off
for notifying them, even if it turns out to be a false alarm.
International Veneer Co., Inc. wrote:
>----- Original Message -----
>From: "Shaun Colley" <shaunige@...oo.co.uk>
>To: <bugtraq@...urityfocus.com>
>Sent: Wednesday, January 28, 2004 10:39 AM
>Subject: phpBB privmsg.php XSS vulnerability patch.
>
>
>For those who have not yet installed the phpBB
>packages fixing the XSS vulnerability in privmsg.php
>documented at <http://www.securityfocus.com/bid/9290>
>and the groupcp.php vulnerability, or for those who do
>not want to download the new packages, the following
>patches can be quickly and easily applied to patch the
>vulnerabilities:
>
>
>---CUT---
>--- privmsg.php 2003-07-20 11:42:23.000000000 -0400
>+++ privmsg.1.php 2004-01-27 13:58:41.000000000 -0500
>@@ -58,6 +58,7 @@
> if ( isset($HTTP_POST_VARS['folder']) ||
>isset($HTTP_GET_VARS['folder']) )
> {
> $folder = ( isset($HTTP_POST_VARS['folder']) ) ?
>$HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder'];
>+$folder = htmlspecialchars($folder);
>
> if ( $folder != 'inbox' && $folder != 'outbox' &&
>$folder != 'sentbox' && $folder != 'savebox' )
> {
>@@ -102,6 +103,7 @@
> if ( !empty($HTTP_POST_VARS['mode']) ||
>!empty($HTTP_GET_VARS['mode']) )
> {
> $mode = ( !empty($HTTP_POST_VARS['mode']) ) ?
>$HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
>+ $mode = htmlspecialchars($mode);
> }
> else
> {
>---CUT---
>
>Apply the patch:
>
>patch privmsg.php phpbb2-xss.patch
>
>
>
>And:
>
>
>---CUT---
>--- groupcp.php 2004-01-27 15:14:46.000000000 -0500
>+++ groupcp.1.php 2004-01-27 15:11:10.000000000 -0500
>@@ -22,6 +22,7 @@
>
> define('IN_PHPBB', true);
> $phpbb_root_path = './';
>+$memberval = intval($members[$i]);
> include($phpbb_root_path . 'extension.inc');
> include($phpbb_root_path . 'common.'.$phpEx);
> mem
>@@ -137,6 +138,7 @@
> if ( isset($HTTP_POST_VARS['mode']) ||
>isset($HTTP_GET_VARS['mode']) )
> {
> $mode = ( isset($HTTP_POST_VARS['mode']) ) ?
>$HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
>+ $mode = htmlspecialchars($mode);
> }
> else
> {
>@@ -590,7 +592,7 @@
> $sql_in = '';
> for($i = 0; $i < count($members); $i++)
> {
>- $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
>$members[$i];
>+ $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
>$memberval;
> }
>
> if ( isset($HTTP_POST_VARS['approve']) )
>---CUT---
>
>
>Apply the patch:
>
>patch groupcp.php phpbb2-groupcp.patch
>
>
>
>Applying the above patches will fix the phpBB2
>privmsg.php XSS vulnerability, and the input
>validation error vulnerability in the groupcp.php
>script.
>
>
>
>Thank you for your time.
>Shaun.
>
>________________________________________________________________________
>BT Yahoo! Broadband - Free modem offer, sign up online today and save £80
>http://btyahoo.yahoo.co.uk
>
>
>
>
Powered by blists - more mailing lists