Bugtraq mailing list archives
Re: Possible phpBB <=2.0.11 bug or sql injection?
From: "kaosone+[ONE]+" <kaosone () gmail com>
Date: Sat, 19 Feb 2005 13:29:41 +0100
On 17 Feb 2005 09:54:57 -0000, jtm297 () optonline net <jtm297 () optonline net> wrote:
It seems it has something to do with the the \'s *'s and length. I am not sure if this is a big bug but I decided to try that after looking at search.php
look at function phpbb_clean_username($username) { $username = htmlspecialchars(rtrim(trim($username), "\\")); $username = substr(str_replace("\\'", "'", $username), 0, 25); $username = str_replace("'", "\\'", $username); return $username; } the problem is in the substr; take for exemple phpbb_clean_username("aaaaaaaaaaaaaaaaaaaaaaaa\a") $username = htmlspecialchars(rtrim(trim($username), "\\")); // username not changed aaaaaaaaaaaaaaaaaaaaaaaa\a $username = substr(str_replace("\\'", "'", $username), 0, 25); // username become aaaaaaaaaaaaaaaaaaaaaaaa\ and the query become SELECT user_id FROM phpbb_users WHERE username LIKE 'aaaaaaaaaaaaaaaaaaaaaaaa\' (notice the last ' escaped) a quick fix is to add $username = rtrim($username, "\\") before the function returns
Current thread:
- Possible phpBB <=2.0.11 bug or sql injection? jtm297 (Feb 17)
- RE: Possible phpBB <=2.0.11 bug or sql injection? Miguel Angel Rodríguez Jódar (Feb 19)
- Re: Possible phpBB <=2.0.11 bug or sql injection? kaosone+[ONE]+ (Feb 19)
- Re: Possible phpBB <=2.0.11 bug or sql injection? Giacomo Rizzo (Feb 19)
- <Possible follow-ups>
- Re: Possible phpBB <=2.0.11 bug or sql injection? Exoduks (Feb 19)