phpBB • Creating Communities Worldwide

Possible SQL injection vulnerability in 2.0.5

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations
Post a reply

Possible SQL injection vulnerability in 2.0.5

Postby psoTFX » Fri Jun 20, 2003 12:08 pm

We've been informed that a possible SQL injection vulnerability has been released to various lists and sites. The issue is unlikely to affect many users given the requirements that surround it.

The problem is easily fixed, open viewtopic.php and before:
Code: Select all
if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
{
      $topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
}
else if ( isset($HTTP_GET_VARS['topic']) )
{
      $topic_id = intval($HTTP_GET_VARS['topic']);
}

add:
Code: Select all
$topic_id = $post_id = false;

Scroll down and find:
Code: Select all
$join_sql_table = ( !isset($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( !isset($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( !isset($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";

$order_sql = ( !isset($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";

Change that to
Code: Select all
$join_sql_table = ( empty($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 ";
$join_sql = ( empty($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id";
$count_sql = ( empty($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts";

$order_sql = ( empty($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";



I would like to add that (as now typical ...) we were given practically no time to fix this issue before it appeared on the web.
User avatar
psoTFX
Former Team Member
 
Posts: 7426
Joined: Tue Jul 03, 2001 8:50 pm
Top
Post a reply

Return to Announcements

Who is online

Users browsing this forum: No registered users and 17 guests

Web Hosting UKDedicated HostingBlueHost.com$6/month WebhostingReseller Web Hosting UK