[Security Fix] Possible SQL Injection in privmsg.php

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Anti-Spam Guide
Post Reply
Acyd Burn
Consultant
Consultant
Posts: 5830
Joined: Wed Dec 05, 2001 8:31 pm
Location: Behind You
Name: Meik Sievertsen

[Security Fix] Possible SQL Injection in privmsg.php

Post by Acyd Burn »

This time we have not been notified about this security bug from the "founder" before he posted this to bugtraq.

The bug can allow attackers to obtain password hashes, all existing users of phpBB 2.0.x make the change specified below, it is highly recommended.

We have now updated all archives (for 2.0.8, named 2.0.8a) as made available on the download page here. Therefore all new installations and upgrades will be immune.

To fix this flaw please open privmsg.php in any text editor and follow the following instruction:

FIND - Line 215:

Code: Select all

			$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
REPLACE WITH:

Code: Select all

			$pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
The difference between the two lines is the deleted dot after $pm_sql_user.

Save and if necessary upload the changed file to your webserver replacing your existing version.

For those wanting a patch file, here it is:

Code: Select all

diff -C2 -r1.96.2.34 -r1.96.2.35
*** privmsg.php	18 Mar 2004 18:16:21 -0000	1.96.2.34
--- privmsg.php	28 Mar 2004 16:38:51 -0000	1.96.2.35
***************
*** 213,217 ****
  		case 'savebox':
  			$l_box_name = $lang['Savebox'];
! 			$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
  					AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " ) 
  				OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "
--- 213,217 ----
  		case 'savebox':
  			$l_box_name = $lang['Savebox'];
! 			$pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
  					AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " ) 
  				OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "
Post Reply

Return to “Announcements”