[Security Fix] Possible SQL Injection in privmsg.php

[Acyd Burn]

This time we have not been notified about this security bug from the "founder" before he posted this to bugtraq.

The bug can allow attackers to obtain password hashes, all existing users of phpBB 2.0.x make the change specified below, it is highly recommended.

We have now updated all archives (for 2.0.8, named 2.0.8a) as made available on the download page here. Therefore all new installations and upgrades will be immune.

To fix this flaw please open privmsg.php in any text editor and follow the following instruction:

FIND - Line 215:

Code: Select all

			$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "

REPLACE WITH:

Code: Select all

			$pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "

The difference between the two lines is the deleted dot after $pm_sql_user.

Save and if necessary upload the changed file to your webserver replacing your existing version.

For those wanting a patch file, here it is:

Code: Select all

diff -C2 -r1.96.2.34 -r1.96.2.35
*** privmsg.php	18 Mar 2004 18:16:21 -0000	1.96.2.34
--- privmsg.php	28 Mar 2004 16:38:51 -0000	1.96.2.35
***************
*** 213,217 ****
  		case 'savebox':
  			$l_box_name = $lang['Savebox'];
! 			$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
  					AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " ) 
  				OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "
--- 213,217 ----
  		case 'savebox':
  			$l_box_name = $lang['Savebox'];
! 			$pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
  					AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " ) 
  				OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "