[Security Fix] Possible SQL Injection in privmsg.php

Administrator Anmeldungsdatum: 02.08.2002 Beiträge: 4735 Wohnort: Aachen

As announced at www.phpbb.com:

This time we have not been notified about this security bug from the "founder" before he posted this to bugtraq.

The bug can allow attackers to obtain password hashes, all existing users of phpBB 2.0.x make the change specified below, it is highly recommended.

We have now updated all archives (for 2.0.8, named 2.0.8a) as made available on the download page here. Therefore all new installations and upgrades will be immune.

To fix this flaw please open privmsg.php in any text editor and follow the following instruction:

FIND - Line 215:

Code:

$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "

REPLACE WITH:

Code:

$pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "

The difference between the two lines is the deleted dot after $pm_sql_user.

Save and if necessary upload the changed file to your webserver replacing your existing version.

For those wanting a patch file, here it is:

Code:

diff -C2 -r1.96.2.34 -r1.96.2.35
*** privmsg.php 18 Mar 2004 18:16:21 -0000 1.96.2.34
--- privmsg.php 28 Mar 2004 16:38:51 -0000 1.96.2.35
***************
*** 213,217 ****
case 'savebox':
$l_box_name = $lang['Savebox'];
! $pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " )
OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "
--- 213,217 ----
case 'savebox':
$l_box_name = $lang['Savebox'];
! $pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " )
OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "

phpBB2.de User Anmeldungsdatum: 04.02.2004 Beiträge: 3

when I removed the "." the private messages section went blank.