ports/64803: [maintainer][SECURITY]Fix another SQL injection in www/phpbb
Kang Liu
liukang at bjpu.edu.cn
Sat Mar 27 14:50:14 UTC 2004
>Number: 64803
>Category: ports
>Synopsis: [maintainer][SECURITY]Fix another SQL injection in www/phpbb
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Sat Mar 27 06:50:13 PST 2004
>Closed-Date:
>Last-Modified:
>Originator: Kang Liu
>Release: FreeBSD 4.9-STABLE i386
>Organization:
Beijing University of Technology
>Environment:
System: FreeBSD 4.9-STABLE
>Description:
A new SQL injection has been published in bugtraq:
http://www.securityfocus.com/archive/1/358708
Here is an unofficial patch posted in bugtraq, It seems fine.
I think applying this patch is the only thing we can do before a new release.
http://www.securityfocus.com/archive/1/358751
Thanks Frankye Fattarelli <frankye at ipv5.net> for informing me this problem.
>How-To-Repeat:
Read the expolit posted in bugtraq...
>Fix:
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/www/phpbb/Makefile,v
retrieving revision 1.20
diff -u -r1.20 Makefile
--- Makefile 26 Mar 2004 17:06:30 -0000 1.20
+++ Makefile 27 Mar 2004 14:15:42 -0000
@@ -7,6 +7,7 @@
PORTNAME= phpbb
PORTVERSION= 2.0.8
+PORTREVISION= 1
CATEGORIES= www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= ${PORTNAME}
@@ -60,6 +61,7 @@
post-patch:
@ ${REINPLACE_CMD} -e "s#\.\./templates#/${PHPBBURL}/templates#" \
${WRKSRC}/docs/*.html
+ @ ${RM} ${WRKSRC}/*.orig
post-configure:
@ ${SED} \
--- /dev/null Sat Mar 27 22:17:03 2004
+++ files/patch-privmsg.php Sat Mar 27 03:54:50 2004
@@ -0,0 +1,21 @@
+--- privmsg.php 2004-03-18 19:51:32.000000000 +0000
++++ privmsg.1.php 2004-03-26 19:51:07.000000000 +0000
+@@ -212,7 +212,17 @@
+ break;
+ case 'savebox':
+ $l_box_name = $lang['Savebox'];
+- $pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
++
++ //
++ // For some obscure reason, the assignment
++ // concatenation operator was coded below, which
++ // allowed an attacker to append arbitrary SQL code
++ // to the end of the $pm_sql_user variable.
++ // This is fixed below.
++ //
++ // -shaun2k2
++ //
++ $pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
+ AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " )
+ OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "
+ AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " )
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list