Bugtraq mailing list archives
Re: sql injection in phpbb
From: <telli () codezwiz com>
Date: 10 Nov 2003 18:46:02 -0000
In-Reply-To: <3FAD4685.2040907 () kaase net>
Received: (qmail 32171 invoked from network); 8 Nov 2003 21:06:28 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 8 Nov 2003 21:06:28 -0000 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing3.securityfocus.com (Postfix) with QMQP id 34703A30B1; Sat, 8 Nov 2003 14:13:37 -0700 (MST) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 3716 invoked from network); 8 Nov 2003 13:30:08 -0000 Message-ID: <3FAD4685.2040907 () kaase net> Date: Sat, 08 Nov 2003 20:39:49 +0100 From: Marius Kaase <marius () kaase net> Reply-To: marius () kaase net User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031105 Thunderbird/0.4a X-Accept-Language: en-us, en MIME-Version: 1.0 To: jocanor jocanor <jocanor2002 () hotmail com> Cc: bugtraq () securityfocus com Subject: Re: sql injection in phpbb References: <20031108183025.19866.qmail () sf-www2-symnsj securityfocus com> In-Reply-To: <20031108183025.19866.qmail () sf-www2-symnsj securityfocus com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit jocanor jocanor wrote:I found a vulnerability en phpbb 2.0.5 and prior, is probably also affect 2.0.6 this bug don't affect to version 2.0.7 phpbb have a list of registereds users, when you click on a memebr of this list, you are requesting data to the database for example: http://www.example.com/forum/profile.php?mode=viewprofile&u=2 this url show the information to the user with the uid = 2, the uid is a number assigned to users in phpbb. but it isn't secure, because if you use this url, you can inject sql comands... exploit: http://www.example.com/profile.php?mode=viewprofile&u='[sqlcode] where [sql code] represents the code may be injected.Does not affect 2.0.6. This code prevents it: function get_userdata($user, $force_str = false) { global $db; if (intval($user) == 0 || $force_str) { $user = trim(htmlspecialchars($user)); $user = substr(str_replace("\\'", "'", $user), 0, 25); $user = str_replace("'", "\\'", $user); } else { $user = intval($user); } (Taken from: http://www.phpbb.com/phpBB/viewtopic.php?p=848495) -- Kind Regards Marius Kaase "If the Phone Doesn't Ring, It's Me"
Ok now where exactly would one include this information to tighten the security? After going through all profile pages (running 2.0.6) I found nothing like this Are we sure it is included in 2.0.6? I think if the files that need to be fixed can be listed we can start to work on this fix. Telli
Current thread:
- sql injection in phpbb jocanor jocanor (Nov 08)
- Re: sql injection in phpbb Marius Kaase (Nov 08)
- Directory traversal in The TelCondex SimpleWebserver 2.13.31027 Build 3289. nimber (Nov 10)
- Re: sql injection in phpbb Jort Slobbe (Nov 10)
- <Possible follow-ups>
- Re: sql injection in phpbb telli (Nov 10)
- Re: sql injection in phpbb Jayson Anderson (Nov 11)
- Re[2]: sql injection in phpbb Alexander GQ Gerasiov (Nov 11)
- Re: Fw: sql injection in phpbb Micheal Cottingham (Nov 10)