phpBB privmsg.php XSS vulnerability patch.

[Shaun Colley <shaunige () yahoo co uk>]

For those who have not yet installed the phpBB
packages fixing the XSS vulnerability in privmsg.php
documented at <http://www.securityfocus.com/bid/9290>
and the groupcp.php vulnerability, or for those who do
not want to download the new packages, the following
patches can be quickly and easily applied to patch the
vulnerabilities:


---CUT---
--- privmsg.php 2003-07-20 11:42:23.000000000 -0400
+++ privmsg.1.php       2004-01-27 13:58:41.000000000 -0500
@@ -58,6 +58,7 @@
 if ( isset($HTTP_POST_VARS['folder']) ||
isset($HTTP_GET_VARS['folder']) )
 {
        $folder = ( isset($HTTP_POST_VARS['folder']) ) ?
$HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder'];
+$folder = htmlspecialchars($folder);
 
        if ( $folder != 'inbox' && $folder != 'outbox' &&
$folder != 'sentbox' && $folder != 'savebox' )
        {
@@ -102,6 +103,7 @@
 if ( !empty($HTTP_POST_VARS['mode']) ||
!empty($HTTP_GET_VARS['mode']) )
 {
        $mode = ( !empty($HTTP_POST_VARS['mode']) ) ?
$HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
+       $mode = htmlspecialchars($mode);
 }
 else
 {
---CUT---

Apply the patch:

patch privmsg.php phpbb2-xss.patch



And:


---CUT---
--- groupcp.php 2004-01-27 15:14:46.000000000 -0500
+++ groupcp.1.php       2004-01-27 15:11:10.000000000 -0500
@@ -22,6 +22,7 @@
 
 define('IN_PHPBB', true);
 $phpbb_root_path = './';
+$memberval = intval($members[$i]);
 include($phpbb_root_path . 'extension.inc');
 include($phpbb_root_path . 'common.'.$phpEx);
 mem
@@ -137,6 +138,7 @@
 if ( isset($HTTP_POST_VARS['mode']) ||
isset($HTTP_GET_VARS['mode']) )
 {
        $mode = ( isset($HTTP_POST_VARS['mode']) ) ?
$HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
+       $mode = htmlspecialchars($mode);
 }
 else
 {
@@ -590,7 +592,7 @@
                                        $sql_in = '';
                                        for($i = 0; $i < count($members); $i++)
                                        {
-                                               $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
$members[$i];
+                                               $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
$memberval;
                                        }
 
                                        if ( isset($HTTP_POST_VARS['approve']) )
---CUT---


Apply the patch:

patch groupcp.php phpbb2-groupcp.patch



Applying the above patches will fix the phpBB2
privmsg.php XSS vulnerability, and the input
validation error vulnerability in the groupcp.php
script.



Thank you for your time.
Shaun.

________________________________________________________________________
BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 http://btyahoo.yahoo.co.uk