----- Original Message -----
From: "Shaun Colley" <shaunige@xxxxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Wednesday, January 28, 2004 10:39 AM
Subject: phpBB privmsg.php XSS vulnerability patch.
For those who have not yet installed the phpBB
packages fixing the XSS vulnerability in privmsg.php
documented at <http://www.securityfocus.com/bid/9290>
and the groupcp.php vulnerability, or for those who do
not want to download the new packages, the following
patches can be quickly and easily applied to patch the
vulnerabilities:
---CUT---
--- privmsg.php 2003-07-20 11:42:23.000000000 -0400
+++ privmsg.1.php 2004-01-27 13:58:41.000000000 -0500
@@ -58,6 +58,7 @@
if ( isset($HTTP_POST_VARS['folder']) ||
isset($HTTP_GET_VARS['folder']) )
{
$folder = ( isset($HTTP_POST_VARS['folder']) ) ?
$HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder'];
+$folder = htmlspecialchars($folder);
if ( $folder != 'inbox' && $folder != 'outbox' &&
$folder != 'sentbox' && $folder != 'savebox' )
{
@@ -102,6 +103,7 @@
if ( !empty($HTTP_POST_VARS['mode']) ||
!empty($HTTP_GET_VARS['mode']) )
{
$mode = ( !empty($HTTP_POST_VARS['mode']) ) ?
$HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
+ $mode = htmlspecialchars($mode);
}
else
{
---CUT---
Apply the patch:
patch privmsg.php phpbb2-xss.patch
And:
---CUT---
--- groupcp.php 2004-01-27 15:14:46.000000000 -0500
+++ groupcp.1.php 2004-01-27 15:11:10.000000000 -0500
@@ -22,6 +22,7 @@
define('IN_PHPBB', true);
$phpbb_root_path = './';
+$memberval = intval($members[$i]);
include($phpbb_root_path . 'extension.inc');
include($phpbb_root_path . 'common.'.$phpEx);
mem
@@ -137,6 +138,7 @@
if ( isset($HTTP_POST_VARS['mode']) ||
isset($HTTP_GET_VARS['mode']) )
{
$mode = ( isset($HTTP_POST_VARS['mode']) ) ?
$HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
+ $mode = htmlspecialchars($mode);
}
else
{
@@ -590,7 +592,7 @@
$sql_in = '';
for($i = 0; $i < count($members); $i++)
{
- $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
$members[$i];
+ $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
$memberval;
}
if ( isset($HTTP_POST_VARS['approve']) )
---CUT---
Apply the patch:
patch groupcp.php phpbb2-groupcp.patch
Applying the above patches will fix the phpBB2
privmsg.php XSS vulnerability, and the input
validation error vulnerability in the groupcp.php
script.
Thank you for your time.
Shaun.
________________________________________________________________________
BT Yahoo! Broadband - Free modem offer, sign up online today and save £80
http://btyahoo.yahoo.co.uk