Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sql injection in phpbb

From: Jayson Anderson <bugtraq () sonick com>
Date: 11 Nov 2003 08:26:47 -0600
I just grabbed 2.0.6 the other day and this fix is implemented. I'm
seeing the fix starting at (my) line 80 in file
'includes/functions.php'.

It is placed directly above the following unique instance of code you
should currently have: 

"$sql = "SELECT *
                FROM " . USERS_TABLE . "
                WHERE ";
$sql .= ( ( is_integer($user) ) ? "user_id = $user" : "username = '" . 
$user . "'" ) . " AND user_id <> " . ANONYMOUS; "

which should be somewhere around line 60-70 in your current
includes/functions.php file.  That is the only instance. 

hth
Jayson


On Mon, 2003-11-10 at 12:46, telli () codezwiz com wrote:

In-Reply-To: <3FAD4685.2040907 () kaase net>


Received: (qmail 32171 invoked from network); 8 Nov 2003 21:06:28 -0000
Received: from outgoing3.securityfocus.com (205.206.231.27)
 by mail.securityfocus.com with SMTP; 8 Nov 2003 21:06:28 -0000
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
    by outgoing3.securityfocus.com (Postfix) with QMQP
    id 34703A30B1; Sat,  8 Nov 2003 14:13:37 -0700 (MST)
Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq () securityfocus com>
List-Help: <mailto:bugtraq-help () securityfocus com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
Delivered-To: mailing list bugtraq () securityfocus com
Delivered-To: moderator for bugtraq () securityfocus com
Received: (qmail 3716 invoked from network); 8 Nov 2003 13:30:08 -0000
Message-ID: <3FAD4685.2040907 () kaase net>
Date: Sat, 08 Nov 2003 20:39:49 +0100
From: Marius Kaase <marius () kaase net>
Reply-To: marius () kaase net
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031105 Thunderbird/0.4a
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: jocanor jocanor <jocanor2002 () hotmail com>
Cc: bugtraq () securityfocus com
Subject: Re: sql injection in phpbb
References: <20031108183025.19866.qmail () sf-www2-symnsj securityfocus com>
In-Reply-To: <20031108183025.19866.qmail () sf-www2-symnsj securityfocus com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

jocanor jocanor wrote:



I found a vulnerability en phpbb 2.0.5 and prior, is probably also affect 2.0.6

this bug don't affect to version 2.0.7 

phpbb have a list of registereds users, when you click on a memebr of this list, you are requesting data to the 
database 

for example:

http://www.example.com/forum/profile.php?mode=viewprofile&u=2

this url show the information to the user with the uid = 2, the uid is a number assigned to users in phpbb.

but it isn't secure, because if you use this url, you can inject sql comands...

exploit:

http://www.example.com/profile.php?mode=viewprofile&u='[sqlcode]

where [sql code] represents the code may be injected.



Does not affect 2.0.6.

This code prevents it:

function get_userdata($user, $force_str = false)
{
global $db;

if (intval($user) == 0 || $force_str)
{
$user = trim(htmlspecialchars($user));
$user = substr(str_replace("\\'", "'", $user), 0, 25);
$user = str_replace("'", "\\'", $user);
}
else
{
$user = intval($user);
}

(Taken from: http://www.phpbb.com/phpBB/viewtopic.php?p=848495)

-- 

Kind Regards
Marius Kaase

"If the Phone Doesn't Ring, It's Me"


Ok now where exactly would one include this information to tighten the security? After going through all profile 
pages  (running 2.0.6) I found nothing like this Are we sure it is included in 2.0.6? I think if the files that need 
to be fixed can be listed we can start to work on this fix.

Telli
Previous By Date Next
Previous By Thread Next

Current thread: