phpBB privmsg.php XSS vulnerability patch.

From: Shaun Colley (shaunige_at_yahoo.co.uk)
Date: 01/28/04

  • Next message: Bob Toxen: "Re: New MiMail variant is DDoS'ing SCO.com"
    Date: Wed, 28 Jan 2004 15:39:44 +0000 (GMT)
    To: bugtraq@securityfocus.com
    
    

    For those who have not yet installed the phpBB
    packages fixing the XSS vulnerability in privmsg.php
    documented at <http://www.securityfocus.com/bid/9290>
    and the groupcp.php vulnerability, or for those who do
    not want to download the new packages, the following
    patches can be quickly and easily applied to patch the
    vulnerabilities:

    ---CUT---
    --- privmsg.php 2003-07-20 11:42:23.000000000 -0400
    +++ privmsg.1.php 2004-01-27 13:58:41.000000000 -0500
    @@ -58,6 +58,7 @@
     if ( isset($HTTP_POST_VARS['folder']) ||
    isset($HTTP_GET_VARS['folder']) )
     {
             $folder = ( isset($HTTP_POST_VARS['folder']) ) ?
    $HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder'];
    +$folder = htmlspecialchars($folder);
     
             if ( $folder != 'inbox' && $folder != 'outbox' &&
    $folder != 'sentbox' && $folder != 'savebox' )
             {
    @@ -102,6 +103,7 @@
     if ( !empty($HTTP_POST_VARS['mode']) ||
    !empty($HTTP_GET_VARS['mode']) )
     {
             $mode = ( !empty($HTTP_POST_VARS['mode']) ) ?
    $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
    + $mode = htmlspecialchars($mode);
     }
     else
     {
    ---CUT---

    Apply the patch:

    patch privmsg.php phpbb2-xss.patch

    And:

    ---CUT---
    --- groupcp.php 2004-01-27 15:14:46.000000000 -0500
    +++ groupcp.1.php 2004-01-27 15:11:10.000000000 -0500
    @@ -22,6 +22,7 @@
     
     define('IN_PHPBB', true);
     $phpbb_root_path = './';
    +$memberval = intval($members[$i]);
     include($phpbb_root_path . 'extension.inc');
     include($phpbb_root_path . 'common.'.$phpEx);
     mem
    @@ -137,6 +138,7 @@
     if ( isset($HTTP_POST_VARS['mode']) ||
    isset($HTTP_GET_VARS['mode']) )
     {
             $mode = ( isset($HTTP_POST_VARS['mode']) ) ?
    $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
    + $mode = htmlspecialchars($mode);
     }
     else
     {
    @@ -590,7 +592,7 @@
                                             $sql_in = '';
                                             for($i = 0; $i < count($members); $i++)
                                             {
    - $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
    $members[$i];
    + $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
    $memberval;
                                             }
     
                                             if ( isset($HTTP_POST_VARS['approve']) )
    ---CUT---

    Apply the patch:

    patch groupcp.php phpbb2-groupcp.patch

    Applying the above patches will fix the phpBB2
    privmsg.php XSS vulnerability, and the input
    validation error vulnerability in the groupcp.php
    script.

    Thank you for your time.
    Shaun.

    ________________________________________________________________________
    BT Yahoo! Broadband - Free modem offer, sign up online today and save 80 http://btyahoo.yahoo.co.uk


  • Next message: Bob Toxen: "Re: New MiMail variant is DDoS'ing SCO.com"

    Relevant Pages

    • Re: Download.ject - commentary - LONG
      ... > patch recently released by Microsoft. ... > vulnerability in question, but instead is just a partial workaround. ... > Granted these are known security best practices related to Internet ... > a new default browser to users and hope that it will be safe enough. ...
      (microsoft.public.win2000.security)
    • Vulnerability Details for MS02-012
      ... Microsoft released a patch for a denial of service ... vulnerability in the Windows 2000 SMTP component. ... This bug affects all Windows 2000 systems running the SMTP service that have ...
      (Bugtraq)
    • Microsoft Security Bulletin MS01-044
      ... Subject: Microsoft Security Bulletin MS01-044 ... 15 August 2001 Cumulative Patch for IIS ... - A denial of service vulnerability that could enable an attacker ...
      (Bugtraq)
    • [NT] 15 August 2001 Cumulative Patch for IIS
      ... Microsoft has released an important patch for IIS administrators. ... * A denial of service vulnerability that could enable an attacker to ...
      (Securiteam)
    • McAfee ePolicy Orchestrator Format String Vulnerability (a031703-1)
      ... ePolicy Orchestrator Format String Vulnerability ... on the host they wish to compromise. ... The vendor has made a patch available. ...
      (Bugtraq)