Re: Fw: sql injection in phpbb

[Micheal Cottingham <micheal () michealcottingham com>]

What's more, as is in the linked topic, is that there is no 2.0.7

> ----- Original Message ----- 
> From: "Marius Kaase" <marius () kaase net>
> To: "jocanor jocanor" <jocanor2002 () hotmail com>
> Cc: <bugtraq () securityfocus com>
> Sent: Saturday, November 08, 2003 2:39 PM
> Subject: Re: sql injection in phpbb
>
>
> jocanor jocanor wrote:
>
>  
>
> > I found a vulnerability en phpbb 2.0.5 and prior, is probably also affect
> >    
> 2.0.6
>  
>
> > this bug don't affect to version 2.0.7
> >
> > phpbb have a list of registereds users, when you click on a memebr of this
> >    
> list, you are requesting data to the database
>  
>
> > for example:
> >
> > http://www.example.com/forum/profile.php?mode=viewprofile&u=2
> >
> > this url show the information to the user with the uid = 2, the uid is a
> >    
> number assigned to users in phpbb.
>  
>
> > but it isn't secure, because if you use this url, you can inject sql
> >    
> comands...
>  
>
> > exploit:
> >
> > http://www.example.com/profile.php?mode=viewprofile&u='[sqlcode]
> >
> > where [sql code] represents the code may be injected.
> >
> >    
>
> Does not affect 2.0.6.
>
> This code prevents it:
>
> function get_userdata($user, $force_str = false)
> {
> global $db;
>
> if (intval($user) == 0 || $force_str)
> {
> $user = trim(htmlspecialchars($user));
> $user = substr(str_replace("\\'", "'", $user), 0, 25);
> $user = str_replace("'", "\\'", $user);
> }
> else
> {
> $user = intval($user);
> }
>
> (Taken from: http://www.phpbb.com/phpBB/viewtopic.php?p=848495)
>
>