Bugtraq mailing list archives

Re: Possible phpBB <=2.0.11 bug or sql injection?

From: Exoduks <exoduks () gmail com>
Date: 18 Feb 2005 20:49:05 -0000

In-Reply-To: <20050217095457.23821.qmail () www securityfocus com>


http://www.phpbb.com/phpBB/search.php?search_author=\*\'fnfnfffffa,'\*\*\cdf

or

http://www.phpbb.com/phpBB/search.php?search_author=\*\*\*\*\*\*\*\*\*


I have notice that this only works is php.ini is set like this:

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = On

; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = Off

Current thread:

Possible phpBB <=2.0.11 bug or sql injection? jtm297 (Feb 17)
- RE: Possible phpBB <=2.0.11 bug or sql injection? Miguel Angel Rodríguez Jódar (Feb 19)
- Re: Possible phpBB <=2.0.11 bug or sql injection? kaosone+[ONE]+ (Feb 19)
- Re: Possible phpBB <=2.0.11 bug or sql injection? Giacomo Rizzo (Feb 19)
- <Possible follow-ups>
- Re: Possible phpBB <=2.0.11 bug or sql injection? Exoduks (Feb 19)