Bugtraq mailing list archives
Re: phpBB 2.0.8a and lower - IP spoofing vulnerability
From: BlueRaven <blue () ravenconsulting it>
Date: Wed, 28 Apr 2004 11:03:26 +0200
On Wed, Apr 21, 2004 at 09:10:55AM +0800, Xin LI wrote: Hi Xin, I think there's an error in your patch:
- if ( !$db->sql_query($sql) ) + if ( $user_id != ANONYMOUS && !$db->sql_query($sql) )
This does NOT prevent execution of the query, only effects output of the message:
{ message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql); }
I think it should read as follows: if ( $user_id != ANONYMOUS ) { if ( !$db->sql_query($sql) { message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql); } } I'm not great PHP programmer, though, so please correct me if I'm wrong. Cheers! :-) -- #include <best/regards.h> BlueRaven Did you know that if you play a Windows 2000 CD backwards, you will hear the voice of Satan? That's nothing! If you play it forward, it'll install Windows 2000.
Current thread:
- phpBB 2.0.8a and lower - IP spoofing vulnerability Ready Response (Apr 19)
- Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Shaun Colley (Apr 19)
- Re: phpBB 2.0.8a and lower - IP spoofing vulnerability 3APA3A (Apr 20)
- Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Xin LI (Apr 21)
- Re: phpBB 2.0.8a and lower - IP spoofing vulnerability BlueRaven (Apr 28)
- Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Xin LI (Apr 29)
- Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Xin LI (Apr 21)