Date: Sat, 27 Mar 2004 22:48:13 +0800 From: "Kang Liu" <liukang@bjpu.edu.cn> To: <freebsd-gnats-submit@FreeBSD.org> Subject: ports/64803: [maintainer][SECURITY]Fix another SQL injection in www/phpbb Message-ID: <280398376.28821@bjpu.edu.cn> Resent-Message-ID: <200403271450.i2REoDfQ053778@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 64803 >Category: ports >Synopsis: [maintainer][SECURITY]Fix another SQL injection in www/phpbb >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Sat Mar 27 06:50:13 PST 2004 >Closed-Date: >Last-Modified: >Originator: Kang Liu >Release: FreeBSD 4.9-STABLE i386 >Organization: Beijing University of Technology >Environment: System: FreeBSD 4.9-STABLE >Description: A new SQL injection has been published in bugtraq: http://www.securityfocus.com/archive/1/358708 Here is an unofficial patch posted in bugtraq, It seems fine. I think applying this patch is the only thing we can do before a new release. http://www.securityfocus.com/archive/1/358751 Thanks Frankye Fattarelli <frankye@ipv5.net> for informing me this problem. >How-To-Repeat: Read the expolit posted in bugtraq... >Fix: Index: Makefile =================================================================== RCS file: /home/ncvs/ports/www/phpbb/Makefile,v retrieving revision 1.20 diff -u -r1.20 Makefile --- Makefile 26 Mar 2004 17:06:30 -0000 1.20 +++ Makefile 27 Mar 2004 14:15:42 -0000 @@ -7,6 +7,7 @@ PORTNAME= phpbb PORTVERSION= 2.0.8 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} @@ -60,6 +61,7 @@ post-patch: @ ${REINPLACE_CMD} -e "s#\.\./templates#/${PHPBBURL}/templates#" \ ${WRKSRC}/docs/*.html + @ ${RM} ${WRKSRC}/*.orig post-configure: @ ${SED} \ --- /dev/null Sat Mar 27 22:17:03 2004 +++ files/patch-privmsg.php Sat Mar 27 03:54:50 2004 @@ -0,0 +1,21 @@ +--- privmsg.php 2004-03-18 19:51:32.000000000 +0000 ++++ privmsg.1.php 2004-03-26 19:51:07.000000000 +0000 +@@ -212,7 +212,17 @@ + break; + case 'savebox': + $l_box_name = $lang['Savebox']; +- $pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . " ++ ++ // ++ // For some obscure reason, the assignment ++ // concatenation operator was coded below, which ++ // allowed an attacker to append arbitrary SQL code ++ // to the end of the $pm_sql_user variable. ++ // This is fixed below. ++ // ++ // -shaun2k2 ++ // ++ $pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . " + AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " ) + OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . " + AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " ) >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?280398376.28821>