Re: Possible phpBB <=2.0.11 bug or sql injection?
From: kaosone+[ONE]+ (kaosone_at_gmail.com)
Date: 02/19/05
- Previous message: devnull_at_Rodents.Montreal.QC.CA: "Re: Joint encryption?"
- In reply to: jtm297_at_optonline.net: "Possible phpBB <=2.0.11 bug or sql injection?"
- Next in thread: Giacomo Rizzo: "Re: Possible phpBB <=2.0.11 bug or sql injection?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 19 Feb 2005 13:29:41 +0100 To: bugtraq@securityfocus.com
On 17 Feb 2005 09:54:57 -0000, jtm297@optonline.net
<jtm297@optonline.net> wrote:
>
> It seems it has something to do with the the \'s *'s and length. I am not sure if this is a big bug but I decided to try that after looking at search.php
look at
function phpbb_clean_username($username)
{
$username = htmlspecialchars(rtrim(trim($username), "\\"));
$username = substr(str_replace("\\'", "'", $username), 0, 25);
$username = str_replace("'", "\\'", $username);
return $username;
}
the problem is in the substr;
take for exemple phpbb_clean_username("aaaaaaaaaaaaaaaaaaaaaaaa\a")
$username = htmlspecialchars(rtrim(trim($username), "\\"));
// username not changed aaaaaaaaaaaaaaaaaaaaaaaa\a
$username = substr(str_replace("\\'", "'", $username), 0, 25);
// username become aaaaaaaaaaaaaaaaaaaaaaaa\
and the query become
SELECT user_id FROM phpbb_users WHERE username LIKE 'aaaaaaaaaaaaaaaaaaaaaaaa\'
(notice the last ' escaped)
a quick fix is to add $username = rtrim($username, "\\") before the
function returns
- Previous message: devnull_at_Rodents.Montreal.QC.CA: "Re: Joint encryption?"
- In reply to: jtm297_at_optonline.net: "Possible phpBB <=2.0.11 bug or sql injection?"
- Next in thread: Giacomo Rizzo: "Re: Possible phpBB <=2.0.11 bug or sql injection?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
