| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040429021634.GA379@frontfree.net>
Date: Thu, 29 Apr 2004 10:16:34 +0800
From: Xin LI <delphij@...ntfree.net>
To: BlueRaven <blue@...enconsulting.it>
Cc: bugtraq@...urityfocus.com
Subject: Re: phpBB 2.0.8a and lower - IP spoofing vulnerability
On Wed, Apr 28, 2004 at 11:03:26AM +0200, BlueRaven wrote:
> On Wed, Apr 21, 2004 at 09:10:55AM +0800, Xin LI wrote:
>
> Hi Xin, I think there's an error in your patch:
>
> > - if ( !$db->sql_query($sql) )
> > + if ( $user_id != ANONYMOUS && !$db->sql_query($sql) )
>
> This does NOT prevent execution of the query, only effects output of the
> message:
>
> > {
> > message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
> > }
>
> I think it should read as follows:
>
> if ( $user_id != ANONYMOUS ) {
> if ( !$db->sql_query($sql) {
> message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
> }
> }
>
> I'm not great PHP programmer, though, so please correct me if I'm wrong.
Well... I don't think so. When a expression evulates to false before a
&& operator, the rest of things which are after && should be "short-
circuit" instead of being evaluated. This is default behavior in most
programming languages, and I believe that this is the behavior of PHP,
too.
Let me proof my assumption with the following code:
----------snip-------------
<?
$i = false;
function f()
{
echo "f() called";
return 1;
}
echo "before f()<br />";
f();
echo "<br />after f()";
echo "<br />";
if( ($i) && (f() > 0)) {
// do nothing
}
echo "end";
?>
----------snip-------------
And I get the following output:
----------snip-------------
before f()
f() called
after f()
end
----------snip-------------
As you can see, f() is called only once by explicitly calling it.
The second call, because $i == false, is short-circuited and not
evaluated.
I have runned the patch on one of servers I maintains for some
months and it has been proven that the anonymous session denial
of service problem has been addressed (at least worked around).
To complain phpBB.com developing team:
Not sure why phpBB.com did not respond to my submission after I
privately submit this to them nearly two months ago and this
BugTraq post. They respond me nothing - no admissions, no
rejections, I am re-thinking about whether to handle phpBB problems
I found... Submitting to security@...bb.com as they desired seems
to be inefficient. Maybe they don't consider the session resource
exhaustion as a problem, but they did not replyed me, I don't
think that's a good practise.
Cheers,
--
Xin LI <delphij frontfree net> http://www.delphij.net/
See complete headers for GPG key and other information.
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists