lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040326205203.45256.qmail@web25103.mail.ukl.yahoo.com>
From: shaunige at yahoo.co.uk (Shaun Colley)
Subject: phpBB2 <= 2.0.8 privmsg.php SQL injection patch (critical).

Hey,

The below patch fixes the sql injection vulnerability
reported by Janek Vind "waraxe", in privmsg.php.

--
--- privmsg.php 2004-03-18 19:51:32.000000000 +0000
+++ privmsg.1.php       2004-03-26 19:51:07.000000000
+0000
@@ -212,7 +212,17 @@
                        break;
                case 'savebox':
                        $l_box_name =
$lang['Savebox'];
-                       $pm_sql_user .= "AND ( (
pm.privmsgs_to_userid = " . $userdata['user_id'] . "
+
+                       //
+                       // For some obscure reason,
the assignment
+                       // concatenation operator was
coded below, which
+                       // allowed an attacker to
append arbitrary SQL code
+                       // to the end of the
$pm_sql_user variable.
+                       // This is fixed below.
+                       //
+                       // -shaun2k2
+                       //
+                       $pm_sql_user = "AND ( (
pm.privmsgs_to_userid = " . $userdata['user_id'] . "
                                        AND
pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " )
                                OR (
pm.privmsgs_from_userid = " . $userdata['user_id'] . "
                                        AND
pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " )
--

The patch will likely turn out looking weird in mail
clients, so:
also available from:
http://www.nettwerked.co.uk/code/privmsg-sqlinj.patch

It should be noted that, as Janek stated, this serious
SQL injection vulnerability exists in ALL versions of
phpBB2 - even the latest.

The patch is written for the latest version of phpBB2,
2.0.8, and it prevents the issue successfully.



Thank you for your time.
Shaun.


	
	
		
___________________________________________________________
WIN FREE WORLDWIDE FLIGHTS - nominate a cafe in the Yahoo! Mail Internet Cafe Awards  www.yahoo.co.uk/internetcafes 


Powered by blists - more mailing lists