Security Alert: phpbb flaw

Codewalkers Forums Sponsor:

March 27th, 2004, 12:45 PM

nawlej

Contributing User

Join Date: Apr 2007

Location: Dallas, Tx. USA

Posts: 2,008

Time spent in forums: 11 h 7 m 51 sec
Reputation Power: 4

Security Alert: phpbb flaw

This showed up on Mr. Mitnicks RSS feed and I thought it applied here.

http://www.securitytracker.com/alerts/2004/Mar/1009563.html

It allows you to inject sql via the private messaging feature. NO workaround has been found.....BUT I found a way to keep it from happening until a fix has been implemented. If you disable private messaging, it cuts off the ability to use that page, and returns a "Private Messaging has been disabled on this board" message.

Just thought ya'll running PHPBB should know....

March 27th, 2004, 08:09 PM

nawlej

Contributing User

Join Date: Apr 2007

Location: Dallas, Tx. USA

Posts: 2,008

Time spent in forums: 11 h 7 m 51 sec
Reputation Power: 4

RE: Security Alert: phpbb flaw

Here is the fix:

find this part of the code in the privmsg.php file:

php Code:

Original - php Code
case 'savebox': $l_box_name = $lang['Savebox']; - $pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "

 
       case 'savebox':
          $l_box_name = $lang['Savebox'];
-         $pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "

the $pm_sql_user .= is the offending code that is allowing the attack.

Replace it with this:

php Code:

Original - php Code
$pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . " AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " ) OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . " AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " )

 
            $pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
                AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " ) 
             OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "
                AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " )

Thanks to Janek Vind for finding this exploit.

March 28th, 2004, 03:50 PM

Anonymous

Registered User

Codewalkers God 35th Plane (22000 - 22499 posts)

Join Date: Apr 2007

Posts: 22,309

Time spent in forums: < 1 sec
Reputation Power: 24

RE: Security Alert: phpbb flaw

Thanks Nawlej,

They had this fixed in 2.0.7, guess they forgot to fix in the new release.

March 28th, 2004, 06:21 PM

Andrew

Moderator

Join Date: Apr 2007

Location: United Kingdom

Posts: 1,942

Folding Points: 2429 Folding Title: Novice Folder

Time spent in forums: 4 Days 4 h 4 m 34 sec
Reputation Power: 3

RE: Security Alert: phpbb flaw

so does that mean if you put:

php Code:

Original - php Code
$pm_sql_user = "then some sql";

$pm_sql_user = "then some sql";

It would run the sql???

March 29th, 2004, 02:00 AM

nawlej

Contributing User

Join Date: Apr 2007

Location: Dallas, Tx. USA

Posts: 2,008

Time spent in forums: 11 h 7 m 51 sec
Reputation Power: 4

RE: Security Alert: phpbb flaw

no, the way it was set up: $pm_sql_user .=

Would allow you to append sql via te input boxes in the private message form.

March 29th, 2004, 05:30 AM

Andrew

Moderator

Join Date: Apr 2007

Location: United Kingdom

Posts: 1,942

Time spent in forums: 4 Days 4 h 4 m 34 sec
Reputation Power: 3

RE: Security Alert: phpbb flaw

scary..... i tried appending a query to promote a user called Guest to Administrator and it didnt work so i must have installed the patch.

March 29th, 2004, 02:30 PM

nawlej

Contributing User

Join Date: Apr 2007

Location: Dallas, Tx. USA

Posts: 2,008

Time spent in forums: 11 h 7 m 51 sec
Reputation Power: 4

RE: Security Alert: phpbb flaw

It all depends, what version of the BB are you using? Its fixed in .07 BUT, is a problem in .08

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: