Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sql injection in phpbb

From: <telli () codezwiz com>
Date: 10 Nov 2003 18:46:02 -0000
In-Reply-To: <3FAD4685.2040907 () kaase net>


Received: (qmail 32171 invoked from network); 8 Nov 2003 21:06:28 -0000
Received: from outgoing3.securityfocus.com (205.206.231.27)
 by mail.securityfocus.com with SMTP; 8 Nov 2003 21:06:28 -0000
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
      by outgoing3.securityfocus.com (Postfix) with QMQP
      id 34703A30B1; Sat,  8 Nov 2003 14:13:37 -0700 (MST)
Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq () securityfocus com>
List-Help: <mailto:bugtraq-help () securityfocus com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
Delivered-To: mailing list bugtraq () securityfocus com
Delivered-To: moderator for bugtraq () securityfocus com
Received: (qmail 3716 invoked from network); 8 Nov 2003 13:30:08 -0000
Message-ID: <3FAD4685.2040907 () kaase net>
Date: Sat, 08 Nov 2003 20:39:49 +0100
From: Marius Kaase <marius () kaase net>
Reply-To: marius () kaase net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031105 Thunderbird/0.4a
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: jocanor jocanor <jocanor2002 () hotmail com>
Cc: bugtraq () securityfocus com
Subject: Re: sql injection in phpbb
References: <20031108183025.19866.qmail () sf-www2-symnsj securityfocus com>
In-Reply-To: <20031108183025.19866.qmail () sf-www2-symnsj securityfocus com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

jocanor jocanor wrote:



I found a vulnerability en phpbb 2.0.5 and prior, is probably also affect 2.0.6

this bug don't affect to version 2.0.7 

phpbb have a list of registereds users, when you click on a memebr of this list, you are requesting data to the 
database 

for example:

http://www.example.com/forum/profile.php?mode=viewprofile&u=2

this url show the information to the user with the uid = 2, the uid is a number assigned to users in phpbb.

but it isn't secure, because if you use this url, you can inject sql comands...

exploit:

http://www.example.com/profile.php?mode=viewprofile&u='[sqlcode]

where [sql code] represents the code may be injected.



Does not affect 2.0.6.

This code prevents it:

function get_userdata($user, $force_str = false)
{
global $db;

if (intval($user) == 0 || $force_str)
{
$user = trim(htmlspecialchars($user));
$user = substr(str_replace("\\'", "'", $user), 0, 25);
$user = str_replace("'", "\\'", $user);
}
else
{
$user = intval($user);
}

(Taken from: http://www.phpbb.com/phpBB/viewtopic.php?p=848495)

-- 

Kind Regards
Marius Kaase

"If the Phone Doesn't Ring, It's Me"


Ok now where exactly would one include this information to tighten the security? After going through all profile pages  
(running 2.0.6) I found nothing like this Are we sure it is included in 2.0.6? I think if the files that need to be 
fixed can be listed we can start to work on this fix.

Telli
Previous By Date Next
Previous By Thread Next

Current thread: