Re: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8 and in older versions]

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8 and in older versions]
From: JeiAr <security@xxxxxxxxxxxx>
Date: 26 Mar 2004 19:30:14 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <20040326172740.5558.qmail@xxxxxxxxxxxxxxxxxxxxx>

Nice find,

 Confirmed on phpBB 2.0.8 :) What I did as a quick fix was to declare 
$pm_sql_user empty before it is declared with the proper data. That way it 
(hopefully) will not pass any values recieved from outside of the script to the 
query. For example, wherever I see this.

$pm_sql_user .= "blah blah blah query info here"

I add this before it

$pm_sql_user = '';

I have not had much time to look into the code as a whole, but the fix seems to 
work fine. Maybe some of you have better ideas? ;) BTW, in a way I don't blame 
you for not informing phpBB (I am assuming you didn't) After the greif I was 
given for trying to help with the last vuln I reported to them I doubt I will 
give them advanced warning in the future. Who knows.

Best Regards,

JeiAr
GulfTech Security Research





>From: Janek Vind <come2waraxe@xxxxxxxxx>
>To: bugtraq@xxxxxxxxxxxxxxxxx
>Subject: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8
>    and in older versions]

Prev by Date: bblog 0.7.2 cross site scripting
Next by Date: Strange traffic - Outgoing TCP 3127/3198 (Not mydoom) New worm?
Previous by thread: bblog 0.7.2 cross site scripting
Next by thread: Re: [waraxe-2004-SA#013 - Critical sql injection bug in PhpBB 2.0.8 and in older versions]
Index(es):
- Date
- Thread