Bugtraq mailing list archives

Possible phpBB <=2.0.11 bug or sql injection?

From: <jtm297 () optonline net>
Date: 17 Feb 2005 09:54:57 -0000



Since phpbb's website says not to post it on their forum, I guess I'll post my findings here.

http://www.phpbb.com/phpBB/search.php?search_author=\*\'fnfnfffffa,'\*\*\cdf


or

http://www.phpbb.com/phpBB/search.php?search_author=\*\*\*\*\*\*\*\*\*\

It seems it has something to do with the the \'s *'s and length. I am not sure if this is a big bug but I decided to 
try that after looking at search.php
************************************************

        $search_author = str_replace('*', '%', trim($search_author));
                                
                                $sql = "SELECT user_id
                                        FROM " . USERS_TABLE . "
                                        WHERE username LIKE '" . str_replace("\'", "''", $search_author) . "'";
                                if ( !($result = $db->sql_query($sql)) )
                                {
                                        message_die(GENERAL_ERROR, "Couldn't obtain list of matching users (searching 
for: $search_author)", "", __LINE__, __FILE__, $sql);
                                }
*********************************************

Not sure if this is anything, but it seems to be running in the sql and erroring.

Thanks for your time,
jtm

Current thread:

Possible phpBB <=2.0.11 bug or sql injection? jtm297 (Feb 17)
- RE: Possible phpBB <=2.0.11 bug or sql injection? Miguel Angel Rodríguez Jódar (Feb 19)
- Re: Possible phpBB <=2.0.11 bug or sql injection? kaosone+[ONE]+ (Feb 19)
- Re: Possible phpBB <=2.0.11 bug or sql injection? Giacomo Rizzo (Feb 19)
- <Possible follow-ups>
- Re: Possible phpBB <=2.0.11 bug or sql injection? Exoduks (Feb 19)