• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

PHPBB Privmsg.PHP SQL Injection Vulnerability

Solution:
The following untested and unverified solution to this issue has been provided by JeiAr <security@gulftech.org>.

Replace this:
$pm_sql_user .= "<random_query_data>";

With this:
$pm_sql_user = '';
$pm_sql_user .= "<random_query_data>";

The following patch has been provided by Shaun Colley <shaunige@yahoo.co.uk>. It should be noted that this patch has not been verified by Symantec:

http://www.nettwerked.co.uk/code/privmsg-sqlinj.patch

The vendor has posted a fix to resolve this issue. It has been suggested by the vendor that the following change will produce positive results:

FIND - Line 215:
$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "

REPLACE WITH:
$pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "

It has also been reported that all available versions of the software have been updated with this fix; any version of the software previously vulnerable will no longer be when acquired from the vendor web site.