[Security Fix] Possible SQL Injection

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Scam Warning
Acyd Burn
Consultant
Consultant
Posts: 5830
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

[Security Fix] Possible SQL Injection

Post by Acyd Burn »

We've been notified of a flaw in search.php. This, under the right circumstances with certain server versions be exploited to obtain password hashes. All existing users of phpBB 2.0.x make the changes specified below, it is highly recommended.

We have now updated all archives (for 2.0.7) as made available on the download page here. Therefore all new installations and upgrades will be immune.

We appologize to not have reacted earlier and for the bug in the redirection code introduced while fixing another security bug.

To fix this flaw please open search.php in any text editor and follow the following instructions:

FIND:

Code: Select all

$show_results = ( isset($HTTP_POST_VARS['show_results']) ) ? $HTTP_POST_VARS['show_results'] : 'posts';
AFTER, ADD:

Code: Select all

$show_results = ($show_results == 'topics') ? 'topics' : 'posts';

FIND:

Code: Select all

	$store_vars = array('search_results', 'total_match_count', 'split_search', 'sort_by', 'sort_dir', 'show_results', 'return_chars');
AFTER, ADD:

Code: Select all

	$search_results = '';


To fix the redirect problems:


Open login.php:

FIND:

Code: Select all

						$url = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : "index.$phpEx";
REPLACE WITH:

Code: Select all

  					
	$url = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "index.$phpEx";
FIND:

Code: Select all

					$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : '';
REPLACE WITH:

Code: Select all

					$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : '';

FIND:

Code: Select all

			$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : "";
REPLACE WITH:

Code: Select all

  
			$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "";
FIND:

Code: Select all

			$url = (!empty($HTTP_POST_VARS['redirect'])) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : htmlspecialchars($HTTP_GET_VARS['redirect']);
AFTER, ADD:

Code: Select all

			$url = str_replace('&', '&', $url);
FIND:

Code: Select all

		$url = ( !empty($HTTP_POST_VARS['redirect']) ) ? htmlspecialchars($HTTP_POST_VARS['redirect']) : "index.$phpEx";
REPLACE WITH:

Code: Select all

		$url = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "index.$phpEx";


For completeness, here the small fix for the correct row colour display at private messaging:

Open privmsg.php:

FIND:

Code: Select all

	message_die(GENERAL_ERROR, 'Could not query private messages', '', __LINE__, __FILE__, $sql);
}

if ( $row = $db->sql_fetchrow($result) )
{
AFTER, ADD:

Code: Select all

	$i = 0;
FIND:

Code: Select all

		$row_color = ( !($i % 2) ) ? $theme['td_color1'] : $theme['td_color2'];
		$row_class = ( !($i % 2) ) ? $theme['td_class1'] : $theme['td_class2'];
AFTER, ADD:

Code: Select all

		$i++;



Save and if necessary upload the changed files to your webserver replacing your existing versions.
Last edited by Acyd Burn on Fri Mar 19, 2004 6:29 pm, edited 1 time in total.
User avatar
SHS`
Former Team Member
Posts: 6615
Joined: Wed Jul 04, 2001 9:13 am
Location: Yellow Beach, Nine Dragons, Hong Kong
Name: Jonathan Stanley

Post by SHS` »

We urge everyone who has upgraded to the older phpBB2.0.7 to update as soon as possible to phpBB2.0.7a.

For those that are still running versions of phpBB older than 2.0.6, please do yourselves a favour and upgrade to the current version ASAP as there have been many bug fixes as detailed in the CHANGELOG.
Jonathan “SHS`” Stanley • 史德信

Return to “Announcements”