ports/54165: [patch]fix 2 serious problem in phpbb 2.0.5
Kang Liu
lazykang at hotmail.com
Mon Jul 7 04:00:37 UTC 2003
>Number: 54165
>Category: ports
>Synopsis: [patch]fix 2 serious problem in phpbb 2.0.5
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Sun Jul 06 21:00:35 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:
>Release:
>Organization:
>Environment:
>Description:
phpbb 2.0.5 contains 2 serious problem:
1. SQL injection vulnerability in viewtopic.php (reference:
http://www.phpbb.com/phpBB/viewtopic.php?t=112052)
2. potential vulnerability in admin/admin_styles.php (reference:
http://www.phpbb.com/phpBB/viewtopic.php?t=113826)
I must apologize that I just update phpbb to 2.0.5 but didn't fix those 2
vulnerability although I mention it in my last PR. ports/53691
http://www.freebsd.org/cgi/query-pr.cgi?pr=53691
:-(
>How-To-Repeat:
n/a
>Fix:
--- Makefile.orig Sun Jul 6 23:19:39 2003
+++ Makefile Mon Jul 7 02:02:54 2003
@@ -7,7 +7,7 @@
PORTNAME= phpbb
PORTVERSION= 2.0.5
-#PORTREVISION= 1
+PORTREVISION= 1
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
@@ -59,6 +59,8 @@
post-patch:
@ ${REINPLACE_CMD} -e "s#\.\./templates#/${PHPBBURL}/templates#" \
${WRKSRC}/docs/*.html
+ @ ${RM} ${WRKSRC}/viewtopic.php.orig
+ @ ${RM} ${WRKSRC}/admin/admin_styles.php.orig
post-configure:
@ ${SED} \
--- /dev/null Mon Jul 7 03:13:23 2003
+++ files/patch-aa Mon Jul 7 03:10:51 2003
@@ -0,0 +1,26 @@
+--- viewtopic.php.orig Mon Jul 7 03:06:30 2003
++++ viewtopic.php Mon Jul 7 03:10:27 2003
+@@ -29,6 +29,7 @@
+ //
+ // Start initial var setup
+ //
++$topic_id = $post_id = false;
+ if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) )
+ {
+ $topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]);
+@@ -134,11 +135,11 @@
+ // also allows for direct linking to a post (and the calculation of which
+ // page the post is on and the correct display of viewtopic)
+ //
+-$join_sql_table = ( !isset($post_id) ) ? '' : ", " . POSTS_TABLE . " p, "
. POSTS_TABLE . " p2 ";
+-$join_sql = ( !isset($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id =
$post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND
p2.post_id <= $post_id";
+-$count_sql = ( !isset($post_id) ) ? '' : ", COUNT(p2.post_id) AS
prev_posts";
++$join_sql_table = ( empty($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " .
POSTS_TABLE . " p2 ";
++$join_sql = ( empty($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id =
$post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND
p2.post_id <= $post_id";
++$count_sql = ( empty($post_id) ) ? '' : ", COUNT(p2.post_id) AS
prev_posts";
+
+-$order_sql = ( !isset($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id,
t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type,
t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status,
f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply,
f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce,
f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";
++$order_sql = ( empty($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id,
t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type,
t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status,
f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply,
f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce,
f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC";
+
+ $sql = "SELECT t.topic_id, t.topic_title, t.topic_status, t.topic_replies,
t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id,
f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read,
f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky,
f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments" .
$count_sql . "
+ FROM " . TOPICS_TABLE . " t, " . FORUMS_TABLE . " f" .
$join_sql_table . "
--- /dev/null Mon Jul 7 03:13:23 2003
+++ files/patch-ab Sun Jul 6 23:54:33 2003
@@ -0,0 +1,41 @@
+--- admin/admin_styles.php.orig Sun Jul 6 23:38:22 2003
++++ admin/admin_styles.php Sun Jul 6 23:45:37 2003
+@@ -38,21 +38,19 @@
+ //
+ // Check if the user has cancled a confirmation message.
+ //
+-$phpbb_root_path = "./../";
++$phpbb_root_path = "./../";
++require($phpbb_root_path . 'extension.inc');
+
+-$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
+-$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;
++$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
++$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;
+
+-if (empty($HTTP_POST_VARS['send_file']))
+-{
+- $no_page_header = ( $cancel ) ? TRUE : FALSE;
+- require($phpbb_root_path . 'extension.inc');
+- require('./pagestart.' . $phpEx);
+-}
++$no_page_header = (!empty($HTTP_POST_VARS['send_file']) || $cancel) ? TRUE
: FALSE;
+
+-if ($cancel)
+-{
+- redirect('admin/' . append_sid("admin_styles.$phpEx", true));
++require('./pagestart.' . $phpEx);
++
++if ($cancel)
++{
++ redirect('admin/' . append_sid("admin_styles.$phpEx", true));
+ }
+
+ if( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) )
+@@ -935,4 +933,4 @@
+ include('./page_footer_admin.'.$phpEx);
+ }
+
+-?>
+\ No newline at end of file
++?>
_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
http://join.msn.com/?page=features/virus
>Release-Note:
>Audit-Trail:
>Unformatted:
>University of Technology Confidential: no Synopsis: fix 2
>vulnerability in phpbb 2.0.5 Severity: serious Priority: high
System: FreeBSD ftp.bjpu.edu.cn 4.8-STABLE FreeBSD 4.8-STABLE #42: Sat Jul 5
14:55:11 CST 2003 root at ftp.bjpu.edu.cn:/usr/obj/usr/src/sys/FTP i386
More information about the freebsd-ports-bugs
mailing list