From owner-freebsd-ports-bugs@FreeBSD.ORG Sat Mar 27 06:50:13 2004 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D51A216A4CE for ; Sat, 27 Mar 2004 06:50:13 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B9C5E43D41 for ; Sat, 27 Mar 2004 06:50:13 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) i2REoDbv053779 for ; Sat, 27 Mar 2004 06:50:13 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.10/8.12.10/Submit) id i2REoDfQ053778; Sat, 27 Mar 2004 06:50:13 -0800 (PST) (envelope-from gnats) Resent-Date: Sat, 27 Mar 2004 06:50:13 -0800 (PST) Resent-Message-Id: <200403271450.i2REoDfQ053778@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, "Kang Liu" Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73B7A16A4CE for ; Sat, 27 Mar 2004 06:48:29 -0800 (PST) Received: from avgw.bjut.edu.cn (avgw.bjut.edu.cn [202.112.78.85]) by mx1.FreeBSD.org (Postfix) with SMTP id 4F3F843D41 for ; Sat, 27 Mar 2004 06:48:28 -0800 (PST) (envelope-from liukang@bjpu.edu.cn) Received: from bjpu.edu.cn ([202.112.78.226]) by avgw.bjut.edu.cn (SAVSMTP 3.1.0.29) with SMTP id M2004032722482807244 for ; Sat, 27 Mar 2004 22:48:28 +0800 Received: (eyou send program); Sat, 27 Mar 2004 22:39:36 +0800 Received: from unknown (HELO ssc) (unknown@221.216.159.104) by 202.112.78.226 with SMTP; Sat, 27 Mar 2004 22:39:36 +0800 Message-Id: <280398376.28821@bjpu.edu.cn> Date: Sat, 27 Mar 2004 22:48:13 +0800 From: "Kang Liu" To: Subject: ports/64803: [maintainer][SECURITY]Fix another SQL injection in www/phpbb X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Mar 2004 14:50:14 -0000 >Number: 64803 >Category: ports >Synopsis: [maintainer][SECURITY]Fix another SQL injection in www/phpbb >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Sat Mar 27 06:50:13 PST 2004 >Closed-Date: >Last-Modified: >Originator: Kang Liu >Release: FreeBSD 4.9-STABLE i386 >Organization: Beijing University of Technology >Environment: System: FreeBSD 4.9-STABLE >Description: A new SQL injection has been published in bugtraq: http://www.securityfocus.com/archive/1/358708 Here is an unofficial patch posted in bugtraq, It seems fine. I think applying this patch is the only thing we can do before a new release. http://www.securityfocus.com/archive/1/358751 Thanks Frankye Fattarelli for informing me this problem. >How-To-Repeat: Read the expolit posted in bugtraq... >Fix: Index: Makefile =================================================================== RCS file: /home/ncvs/ports/www/phpbb/Makefile,v retrieving revision 1.20 diff -u -r1.20 Makefile --- Makefile 26 Mar 2004 17:06:30 -0000 1.20 +++ Makefile 27 Mar 2004 14:15:42 -0000 @@ -7,6 +7,7 @@ PORTNAME= phpbb PORTVERSION= 2.0.8 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} @@ -60,6 +61,7 @@ post-patch: @ ${REINPLACE_CMD} -e "s#\.\./templates#/${PHPBBURL}/templates#" \ ${WRKSRC}/docs/*.html + @ ${RM} ${WRKSRC}/*.orig post-configure: @ ${SED} \ --- /dev/null Sat Mar 27 22:17:03 2004 +++ files/patch-privmsg.php Sat Mar 27 03:54:50 2004 @@ -0,0 +1,21 @@ +--- privmsg.php 2004-03-18 19:51:32.000000000 +0000 ++++ privmsg.1.php 2004-03-26 19:51:07.000000000 +0000 +@@ -212,7 +212,17 @@ + break; + case 'savebox': + $l_box_name = $lang['Savebox']; +- $pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . " ++ ++ // ++ // For some obscure reason, the assignment ++ // concatenation operator was coded below, which ++ // allowed an attacker to append arbitrary SQL code ++ // to the end of the $pm_sql_user variable. ++ // This is fixed below. ++ // ++ // -shaun2k2 ++ // ++ $pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . " + AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " ) + OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . " + AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " ) >Release-Note: >Audit-Trail: >Unformatted: