Re: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8 and in older versions]

[JeiAr <security () gulftech org>]

In-Reply-To: <20040326172740.5558.qmail () www securityfocus com>

Nice find,

 Confirmed on phpBB 2.0.8 :) What I did as a quick fix was to declare $pm_sql_user empty before it is declared with the 
proper data. That way it (hopefully) will not pass any values recieved from outside of the script to the query. For 
example, wherever I see this.

$pm_sql_user .= "blah blah blah query info here"

I add this before it

$pm_sql_user = '';

I have not had much time to look into the code as a whole, but the fix seems to work fine. Maybe some of you have 
better ideas? ;) BTW, in a way I don't blame you for not informing phpBB (I am assuming you didn't) After the greif I 
was given for trying to help with the last vuln I reported to them I doubt I will give them advanced warning in the 
future. Who knows.

Best Regards,

JeiAr
GulfTech Security Research





> From: Janek Vind <come2waraxe () yahoo com>
> To: bugtraq () securityfocus com
> Subject: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8
>    and in older versions]