|
|
BugTraq
phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 19 2004 12:01AM Ready Response (wang mod-x co uk) (2 replies) Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 20 2004 12:15PM 3APA3A (3APA3A SECURITY NNOV RU) (1 replies) Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 21 2004 01:10AM Xin LI (delphij frontfree net) (1 replies) Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 28 2004 09:03AM BlueRaven (blue ravenconsulting it) (1 replies) Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 19 2004 08:05PM Shaun Colley (shaunige yahoo co uk) |
|
Privacy Statement |
> On Wed, Apr 21, 2004 at 09:10:55AM +0800, Xin LI wrote:
>
> Hi Xin, I think there's an error in your patch:
>
> > - if ( !$db->sql_query($sql) )
> > + if ( $user_id != ANONYMOUS && !$db->sql_query($sql) )
>
> This does NOT prevent execution of the query, only effects output of the
> message:
>
> > {
> > message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
> > }
>
> I think it should read as follows:
>
> if ( $user_id != ANONYMOUS ) {
> if ( !$db->sql_query($sql) {
> message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
> }
> }
>
> I'm not great PHP programmer, though, so please correct me if I'm wrong.
Well... I don't think so. When a expression evulates to false before a
&& operator, the rest of things which are after && should be "short-
circuit" instead of being evaluated. This is default behavior in most
programming languages, and I believe that this is the behavior of PHP,
too.
Let me proof my assumption with the following code:
----------snip-------------
<?
$i = false;
function f()
{
echo "f() called";
return 1;
}
echo "before f()<br />";
f();
echo "<br />after f()";
echo "<br />";
if( ($i) && (f() > 0)) {
// do nothing
}
echo "end";
?>
----------snip-------------
And I get the following output:
----------snip-------------
before f()
f() called
after f()
end
----------snip-------------
As you can see, f() is called only once by explicitly calling it.
The second call, because $i == false, is short-circuited and not
evaluated.
I have runned the patch on one of servers I maintains for some
months and it has been proven that the anonymous session denial
of service problem has been addressed (at least worked around).
To complain phpBB.com developing team:
Not sure why phpBB.com did not respond to my submission after I
privately submit this to them nearly two months ago and this
BugTraq post. They respond me nothing - no admissions, no
rejections, I am re-thinking about whether to handle phpBB problems
I found... Submitting to security (at) phpbb (dot) com [email concealed] as they desired seems
to be inefficient. Maybe they don't consider the session resource
exhaustion as a problem, but they did not replyed me, I don't
think that's a good practise.
Cheers,
--
Xin LI <delphij frontfree net> http://www.delphij.net/
See complete headers for GPG key and other information.
[ reply ]