Re: sql injection in phpbb
From: Jayson Anderson (bugtraq_at_sonick.com)
To: email@example.com Date: 11 Nov 2003 08:26:47 -0600
I just grabbed 2.0.6 the other day and this fix is implemented. I'm
seeing the fix starting at (my) line 80 in file
It is placed directly above the following unique instance of code you
should currently have:
"$sql = "SELECT *
FROM " . USERS_TABLE . "
$sql .= ( ( is_integer($user) ) ? "user_id = $user" : "username = '" .
$user . "'" ) . " AND user_id <> " . ANONYMOUS; "
which should be somewhere around line 60-70 in your current
includes/functions.php file. That is the only instance.
On Mon, 2003-11-10 at 12:46, firstname.lastname@example.org wrote:
> In-Reply-To: <3FAD4685.email@example.com>
> >Received: (qmail 32171 invoked from network); 8 Nov 2003 21:06:28 -0000
> >Received: from outgoing3.securityfocus.com (126.96.36.199)
> > by mail.securityfocus.com with SMTP; 8 Nov 2003 21:06:28 -0000
> >Received: from lists2.securityfocus.com (lists2.securityfocus.com [188.8.131.52])
> > by outgoing3.securityfocus.com (Postfix) with QMQP
> > id 34703A30B1; Sat, 8 Nov 2003 14:13:37 -0700 (MST)
> >Mailing-List: contact firstname.lastname@example.org; run by ezmlm
> >Precedence: bulk
> >List-Id: <bugtraq.list-id.securityfocus.com>
> >List-Post: <mailto:email@example.com>
> >List-Help: <mailto:firstname.lastname@example.org>
> >List-Unsubscribe: <mailto:email@example.com>
> >List-Subscribe: <mailto:firstname.lastname@example.org>
> >Delivered-To: mailing list email@example.com
> >Delivered-To: moderator for firstname.lastname@example.org
> >Received: (qmail 3716 invoked from network); 8 Nov 2003 13:30:08 -0000
> >Message-ID: <3FAD4685.email@example.com>
> >Date: Sat, 08 Nov 2003 20:39:49 +0100
> >From: Marius Kaase <firstname.lastname@example.org>
> >Reply-To: email@example.com
> >User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031105 Thunderbird/0.4a
> >X-Accept-Language: en-us, en
> >MIME-Version: 1.0
> >To: jocanor jocanor <firstname.lastname@example.org>
> >Cc: email@example.com
> >Subject: Re: sql injection in phpbb
> >References: <firstname.lastname@example.org>
> >In-Reply-To: <email@example.com>
> >Content-Type: text/plain; charset=us-ascii; format=flowed
> >Content-Transfer-Encoding: 7bit
> >jocanor jocanor wrote:
> >> I found a vulnerability en phpbb 2.0.5 and prior, is probably also affect 2.0.6
> >> this bug don't affect to version 2.0.7
> >> phpbb have a list of registereds users, when you click on a memebr of this list, you are requesting data to the database
> >> for example:
> >> http://www.example.com/forum/profile.php?mode=viewprofile&u=2
> >> this url show the information to the user with the uid = 2, the uid is a number assigned to users in phpbb.
> >> but it isn't secure, because if you use this url, you can inject sql comands...
> >> exploit:
> >> http://www.example.com/profile.php?mode=viewprofile&u='[sqlcode]
> >> where [sql code] represents the code may be injected.
> >Does not affect 2.0.6.
> >This code prevents it:
> >function get_userdata($user, $force_str = false)
> >global $db;
> >if (intval($user) == 0 || $force_str)
> >$user = trim(htmlspecialchars($user));
> >$user = substr(str_replace("\\'", "'", $user), 0, 25);
> >$user = str_replace("'", "\\'", $user);
> >$user = intval($user);
> >(Taken from: http://www.phpbb.com/phpBB/viewtopic.php?p=848495)
> >Kind Regards
> >Marius Kaase
> >"If the Phone Doesn't Ring, It's Me"
> Ok now where exactly would one include this information to tighten the security? After going through all profile pages (running 2.0.6) I found nothing like this Are we sure it is included in 2.0.6? I think if the files that need to be fixed can be listed we can start to work on this fix.