SecurityFocus

phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 19 2004 12:01AM
Ready Response (wang mod-x co uk) (2 replies)

Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 20 2004 12:15PM
3APA3A (3APA3A SECURITY NNOV RU) (1 replies)

Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 21 2004 01:10AM
Xin LI (delphij frontfree net) (1 replies)

Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 28 2004 09:03AM
BlueRaven (blue ravenconsulting it) (1 replies)

On Wed, Apr 21, 2004 at 09:10:55AM +0800, Xin LI wrote:

Hi Xin, I think there's an error in your patch:

> - if ( !$db->sql_query($sql) )
> + if ( $user_id != ANONYMOUS && !$db->sql_query($sql) )

This does NOT prevent execution of the query, only effects output of the
message:

> {
> message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
> }

I think it should read as follows:

if ( $user_id != ANONYMOUS ) {
if ( !$db->sql_query($sql) {
message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
}
}

I'm not great PHP programmer, though, so please correct me if I'm wrong.
Cheers! :-)

--
#include <best/regards.h>

BlueRaven

Did you know that if you play a Windows 2000 CD backwards, you will hear
the voice of Satan? That's nothing!
If you play it forward, it'll install Windows 2000.

[ reply ]

Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 29 2004 02:16AM
Xin LI (delphij frontfree net)

Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 19 2004 08:05PM
Shaun Colley (shaunige yahoo co uk)