lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040326193014.24220.qmail@www.securityfocus.com>
Date: 26 Mar 2004 19:30:14 -0000
From: JeiAr <security@...ftech.org>
To: bugtraq@...urityfocus.com
Subject: Re: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB
    2.0.8    and in older versions]


In-Reply-To: <20040326172740.5558.qmail@....securityfocus.com>

Nice find,

 Confirmed on phpBB 2.0.8 :) What I did as a quick fix was to declare $pm_sql_user empty before it is declared with the proper data. That way it (hopefully) will not pass any values recieved from outside of the script to the query. For example, wherever I see this.

$pm_sql_user .= "blah blah blah query info here"

I add this before it

$pm_sql_user = '';

I have not had much time to look into the code as a whole, but the fix seems to work fine. Maybe some of you have better ideas? ;) BTW, in a way I don't blame you for not informing phpBB (I am assuming you didn't) After the greif I was given for trying to help with the last vuln I reported to them I doubt I will give them advanced warning in the future. Who knows.

Best Regards,

JeiAr
GulfTech Security Research





>From: Janek Vind <come2waraxe@...oo.com>
>To: bugtraq@...urityfocus.com
>Subject: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8
>    and in older versions]


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ