lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040326205203.45256.qmail@web25103.mail.ukl.yahoo.com> From: shaunige at yahoo.co.uk (Shaun Colley) Subject: phpBB2 <= 2.0.8 privmsg.php SQL injection patch (critical). Hey, The below patch fixes the sql injection vulnerability reported by Janek Vind "waraxe", in privmsg.php. -- --- privmsg.php 2004-03-18 19:51:32.000000000 +0000 +++ privmsg.1.php 2004-03-26 19:51:07.000000000 +0000 @@ -212,7 +212,17 @@ break; case 'savebox': $l_box_name = $lang['Savebox']; - $pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . " + + // + // For some obscure reason, the assignment + // concatenation operator was coded below, which + // allowed an attacker to append arbitrary SQL code + // to the end of the $pm_sql_user variable. + // This is fixed below. + // + // -shaun2k2 + // + $pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . " AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " ) OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . " AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " ) -- The patch will likely turn out looking weird in mail clients, so: also available from: http://www.nettwerked.co.uk/code/privmsg-sqlinj.patch It should be noted that, as Janek stated, this serious SQL injection vulnerability exists in ALL versions of phpBB2 - even the latest. The patch is written for the latest version of phpBB2, 2.0.8, and it prevents the issue successfully. Thank you for your time. Shaun. ___________________________________________________________ WIN FREE WORLDWIDE FLIGHTS - nominate a cafe in the Yahoo! Mail Internet Cafe Awards www.yahoo.co.uk/internetcafes
Powered by blists - more mailing lists