lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <cc9f955d05021904291f5b4fb4@mail.gmail.com>
Date: Sat, 19 Feb 2005 13:29:41 +0100
From: "kaosone+[ONE]+" <kaosone@...il.com>
To: bugtraq@...urityfocus.com
Subject: Re: Possible phpBB <=2.0.11 bug or sql injection?


On 17 Feb 2005 09:54:57 -0000, jtm297@...online.net
<jtm297@...online.net> wrote:
> 
> It seems it has something to do with the the \'s *'s and length. I am not sure if this is a big bug but I decided to try that after looking at search.php

look at 

function phpbb_clean_username($username)
{
	$username = htmlspecialchars(rtrim(trim($username), "\\"));
	$username = substr(str_replace("\\'", "'", $username), 0, 25);
	$username = str_replace("'", "\\'", $username);

	return $username;
}

the problem is in the substr;
take for exemple phpbb_clean_username("aaaaaaaaaaaaaaaaaaaaaaaa\a")

$username = htmlspecialchars(rtrim(trim($username), "\\"));
// username not changed aaaaaaaaaaaaaaaaaaaaaaaa\a
$username = substr(str_replace("\\'", "'", $username), 0, 25);
// username become  aaaaaaaaaaaaaaaaaaaaaaaa\

and the query become

SELECT user_id FROM phpbb_users WHERE username LIKE 'aaaaaaaaaaaaaaaaaaaaaaaa\' 
(notice the last ' escaped)

a quick fix is to add $username = rtrim($username, "\\") before the
function returns

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ