Bugtraq mailing list archives

Re: Fw: phpBB privmsg.php XSS vulnerability patch.

From: Micheal Cottingham <micheal () michealcottingham com>
Date: Wed, 28 Jan 2004 20:14:25 -0500

I'm going to regret replying to this as many people seem to abuseautoresponders and I end up with 50+ emails saying so-and-so is out ofthe office ...

If you think you have found a security hole with phpBB, contact thesecurity email address ... I assure you they won't bite your head offfor notifying them, even if it turns out to be a false alarm.


International Veneer Co., Inc. wrote:

----- Original Message -----From: "Shaun Colley" <shaunige () yahoo co uk>

To: <bugtraq () securityfocus com>
Sent: Wednesday, January 28, 2004 10:39 AM
Subject: phpBB privmsg.php XSS vulnerability patch.


For those who have not yet installed the phpBB
packages fixing the XSS vulnerability in privmsg.php
documented at <http://www.securityfocus.com/bid/9290>
and the groupcp.php vulnerability, or for those who do
not want to download the new packages, the following
patches can be quickly and easily applied to patch the
vulnerabilities:


---CUT---
--- privmsg.php 2003-07-20 11:42:23.000000000 -0400
+++ privmsg.1.php 2004-01-27 13:58:41.000000000 -0500
@@ -58,6 +58,7 @@
if ( isset($HTTP_POST_VARS['folder']) ||
isset($HTTP_GET_VARS['folder']) )
{
 $folder = ( isset($HTTP_POST_VARS['folder']) ) ?
$HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder'];
+$folder = htmlspecialchars($folder);

 if ( $folder != 'inbox' && $folder != 'outbox' &&
$folder != 'sentbox' && $folder != 'savebox' )
 {
@@ -102,6 +103,7 @@
if ( !empty($HTTP_POST_VARS['mode']) ||
!empty($HTTP_GET_VARS['mode']) )
{
 $mode = ( !empty($HTTP_POST_VARS['mode']) ) ?
$HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
+ $mode = htmlspecialchars($mode);
}
else
{
---CUT---

Apply the patch:

patch privmsg.php phpbb2-xss.patch



And:


---CUT---
--- groupcp.php 2004-01-27 15:14:46.000000000 -0500
+++ groupcp.1.php 2004-01-27 15:11:10.000000000 -0500
@@ -22,6 +22,7 @@

define('IN_PHPBB', true);
$phpbb_root_path = './';
+$memberval = intval($members[$i]);
include($phpbb_root_path . 'extension.inc');
include($phpbb_root_path . 'common.'.$phpEx);
mem
@@ -137,6 +138,7 @@
if ( isset($HTTP_POST_VARS['mode']) ||
isset($HTTP_GET_VARS['mode']) )
{
 $mode = ( isset($HTTP_POST_VARS['mode']) ) ?
$HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
+ $mode = htmlspecialchars($mode);
}
else
{
@@ -590,7 +592,7 @@
 $sql_in = '';
 for($i = 0; $i < count($members); $i++)
 {
- $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
$members[$i];
+ $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
$memberval;
 }

 if ( isset($HTTP_POST_VARS['approve']) )
---CUT---


Apply the patch:

patch groupcp.php phpbb2-groupcp.patch



Applying the above patches will fix the phpBB2
privmsg.php XSS vulnerability, and the input
validation error vulnerability in the groupcp.php
script.



Thank you for your time.
Shaun.

________________________________________________________________________
BT Yahoo! Broadband - Free modem offer, sign up online today and save £80
http://btyahoo.yahoo.co.uk

Current thread:

Re: Fw: phpBB privmsg.php XSS vulnerability patch. Micheal Cottingham (Feb 02)
- Re: Fw: phpBB privmsg.php XSS vulnerability patch. Truthless (Feb 04)