another hole in phpBB 2.08??

Premium Joined: Sep 13, 2003 Posts: 50

I just upgraded to 2.08 and I read this post already:

http://www.securityfocus.com/archive/1/358708

Sergeant Joined: Jun 19, 2003 Posts: 80

If you use the protector system you dont have to worry about this since its protecting the 'UNION' exploit.
But yes this must be fixed :/

Sergeant Joined: Jun 19, 2003 Posts: 80

a fix for phpbb was posted over here Wink

Nuke Soldier Joined: Mar 16, 2004 Posts: 24

genoxide wrote:

a fix for phpbb was posted over here so we just wait for someone to port it to bbtonuke Wink

Hmmm, I don't know if this bug exists in bbtonuke208. Check out line 292 of

/modules/Private_Messages/index.php:

Code:

$pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " )
OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "
AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " )

According to the description of the bug, the first line should have looked like:

Code:

$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "

But in my version, it is a regular "=", not a ".=" as described in the bug. Did someone already fix this?

W

Sergeant Joined: Jun 19, 2003 Posts: 80

i have the '.=' lets see if the exploit works if i set it to be just '='
i did test this exploit on my test site and it only prints 25 chrs of the pwd not all the pwd
edit: it works Smile

i removed the dot (.) from the '.=' and it looks like the exploit can't work Wink

Posted: Sun Mar 28, 2004 9:51 am

I have also upgraded to 2.0.8.. but I'm not sure what to change Confused

Would be great if someone could make the the neccesary changes in the code below.

Code:

case 'inbox':
$l_box_name = $lang['Inbox'];
$pm_sql_user = "AND pm.privmsgs_to_userid = " . $userdata['user_id'] . "
AND ( pm.privmsgs_type = " . PRIVMSGS_READ_MAIL . "
OR pm.privmsgs_type = " . PRIVMSGS_NEW_MAIL . "
OR pm.privmsgs_type = " . PRIVMSGS_UNREAD_MAIL . " )";
break;
case 'outbox':
$l_box_name = $lang['Outbox'];
$pm_sql_user = "AND pm.privmsgs_from_userid = " . $userdata['user_id'] . "
AND ( pm.privmsgs_type = " . PRIVMSGS_NEW_MAIL . "
OR pm.privmsgs_type = " . PRIVMSGS_UNREAD_MAIL . " ) ";
break;
case 'sentbox':
$l_box_name = $lang['Sentbox'];
$pm_sql_user = "AND pm.privmsgs_from_userid = " . $userdata['user_id'] . "
AND pm.privmsgs_type = " . PRIVMSGS_SENT_MAIL;
break;
case 'savebox':
$l_box_name = $lang['Savebox'];
$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " )
OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "
AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " )
)";
break;
default:
message_die(GENERAL_ERROR, $lang['No_such_folder']);
break;

Thanks a lot!

Sergeant Joined: Jun 19, 2003 Posts: 80

Code:

case 'savebox':
$l_box_name = $lang['Savebox'];
$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "

to

Code:

case 'savebox':
$l_box_name = $lang['Savebox'];
$pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "

Posted: Sun Mar 28, 2004 2:46 pm

Thanks a lot genoxide! Smile

Corporal Joined: Mar 21, 2004 Posts: 56 Location: Brazil

What the hellll!!!!!!!!!!!!! Evil or Very Mad

Whe need a FIX log or there will be a 2.0.8.a version ??

Its getting dificult to NORMAL people maintain their NUKE sites safe.

And by the way... that .DOT. in then code is VERY strange, Don´t????

OK!, one more fix to the list.