In-Reply-To: <20040326172740.5558.qmail (at) www.securityfocus (dot) com [email concealed]>
Nice find,
Confirmed on phpBB 2.0.8 :) What I did as a quick fix was to declare $pm_sql_user empty before it is declared with the proper data. That way it (hopefully) will not pass any values recieved from outside of the script to the query. For example, wherever I see this.
$pm_sql_user .= "blah blah blah query info here"
I add this before it
$pm_sql_user = '';
I have not had much time to look into the code as a whole, but the fix seems to work fine. Maybe some of you have better ideas? ;) BTW, in a way I don't blame you for not informing phpBB (I am assuming you didn't) After the greif I was given for trying to help with the last vuln I reported to them I doubt I will give them advanced warning in the future. Who knows.
Best Regards,
JeiAr
GulfTech Security Research
>From: Janek Vind <come2waraxe (at) yahoo (dot) com [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8
Nice find,
Confirmed on phpBB 2.0.8 :) What I did as a quick fix was to declare $pm_sql_user empty before it is declared with the proper data. That way it (hopefully) will not pass any values recieved from outside of the script to the query. For example, wherever I see this.
$pm_sql_user .= "blah blah blah query info here"
I add this before it
$pm_sql_user = '';
I have not had much time to look into the code as a whole, but the fix seems to work fine. Maybe some of you have better ideas? ;) BTW, in a way I don't blame you for not informing phpBB (I am assuming you didn't) After the greif I was given for trying to help with the last vuln I reported to them I doubt I will give them advanced warning in the future. Who knows.
Best Regards,
JeiAr
GulfTech Security Research
>From: Janek Vind <come2waraxe (at) yahoo (dot) com [email concealed]>
>To: bugtraq (at) securityfocus (dot) com [email concealed]
>Subject: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8
> and in older versions]
[ reply ]