Date: Fri, 26 Mar 2004 20:43:40 +0000 (GMT)
From: =?iso-8859-1?q?Shaun=20Colley?= <shaunige@yahoo.co.uk>
To: bugtraq@securityfocus.com
Subject: phpBB2 2.0.8 privmsg.php SQL injection patch (critical).
Hey,
The below patch fixes the sql injection vulnerability
reported by Janek Vind "waraxe", in privmsg.php.
--
--- privmsg.php 2004-03-18 19:51:32.000000000 +0000
+++ privmsg.1.php 2004-03-26 19:51:07.000000000
+0000
@@ -212,7 +212,17 @@
break;
case 'savebox':
$l_box_name =
$lang['Savebox'];
- $pm_sql_user .= "AND ( (
pm.privmsgs_to_userid = " . $userdata['user_id'] . "
+
+ //
+ // For some obscure reason,
the assignment
+ // concatenation operator was
coded below, which
+ // allowed an attacker to
append arbitrary SQL code
+ // to the end of the
$pm_sql_user variable.
+ // This is fixed below.
+ //
+ // -shaun2k2
+ //
+ $pm_sql_user = "AND ( (
pm.privmsgs_to_userid = " . $userdata['user_id'] . "
AND
pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " )
OR (
pm.privmsgs_from_userid = " . $userdata['user_id'] . "
AND
pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " )
--
Also available from:
http://www.nettwerked.co.uk/code/privmsg-sqlinj.patch
It should be noted that, as Janek stated, this serious
SQL injection vulnerability exists in ALL versions of
phpBB2 - even the latest.
The patch is written for the latest version of phpBB2,
2.0.8, and it prevents the issue successfully.
Thank you for your time.
Shaun.
___________________________________________________________
WIN FREE WORLDWIDE FLIGHTS - nominate a cafe in the Yahoo! Mail Internet Cafe Awards www.yahoo.co.uk/internetcafes
