Re: phpBB 2.0.8a and lower - IP spoofing vulnerability

[Xin LI <delphij () frontfree net>]

On Wed, Apr 28, 2004 at 11:03:26AM +0200, BlueRaven wrote:
> On Wed, Apr 21, 2004 at 09:10:55AM +0800, Xin LI wrote:
>
> Hi Xin, I think there's an error in your patch:
>
> > -           if ( !$db->sql_query($sql) )
> > +           if ( $user_id != ANONYMOUS && !$db->sql_query($sql) )
>
> This does NOT prevent execution of the query, only effects output of the
> message:
>
> >             {
> >                     message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
> >             }
>
> I think it should read as follows:
>
>              if ( $user_id != ANONYMOUS ) {
>               if ( !$db->sql_query($sql) {
>                    message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
>               }
>              }
>
> I'm not great PHP programmer, though, so please correct me if I'm wrong.

Well... I don't think so. When a expression evulates to false before a
&& operator, the rest of things which are after && should be "short-
circuit" instead of being evaluated. This is default behavior in most
programming languages, and I believe that this is the behavior of PHP,
too.

Let me proof my assumption with the following code:

----------snip-------------
<?
  $i = false;

  function f()
  {
    echo "f() called";
    return 1;
  }

  echo "before f()<br />";

  f();
  echo "<br />after f()";
  echo "<br />";

  if( ($i) && (f() > 0)) {
    // do nothing
  }

  echo "end";
?>
----------snip-------------

And I get the following output:

----------snip-------------
before f()
f() called
after f()
end
----------snip-------------

As you can see, f() is called only once by explicitly calling it.
The second call, because $i == false, is short-circuited and not
evaluated.

I have runned the patch on one of servers I maintains for some
months and it has been proven that the anonymous session denial
of service problem has been addressed (at least worked around).

To complain phpBB.com developing team:

Not sure why phpBB.com did not respond to my submission after I
privately submit this to them nearly two months ago and this
BugTraq post. They respond me nothing - no admissions, no
rejections, I am re-thinking about whether to handle phpBB problems
I found... Submitting to security () phpbb com as they desired seems
to be inefficient. Maybe they don't consider the session resource
exhaustion as a problem, but they did not replyed me, I don't
think that's a good practise.

Cheers,
-- 
Xin LI <delphij frontfree net>  http://www.delphij.net/
See complete headers for GPG key and other information.

Attachment: _bin
Description: