SECURITY WARNING: Anyone using phpBB? - GoFuckYourself.com

swedguy · 12-03-2003, 07:00 PM

http://www.securityfocus.com/bid/9122

Quote:

It has been reported that phpBB may be prone to a SQL injection vulnerability that may allow an attacker to disclose sensitive information by supplying malicious SQL code to the underlying database.

phpBB version 2.06 has been prone to this issue, however other versions may be affected as well.

ThePornPusher · 12-03-2003, 08:14 PM

Thanks for the heads up...

dirtysouth · 12-03-2003, 08:16 PM

Thanks!

extreme · 12-03-2003, 08:57 PM

open search.php, line ~685:

Replace

Code:

if ( intval($search_id) )
      {
         $sql = "SELECT search_array
            FROM " . SEARCH_TABLE . "
            WHERE search_id = $search_id 
               AND session_id = '". $userdata['session_id'] . "'";

with

Code:

 $search_id = intval($search_id);
      if ( $search_id )
      {
         $sql = "SELECT search_array
            FROM " . SEARCH_TABLE . "
            WHERE search_id = $search_id 
               AND session_id = '". $userdata['session_id'] . "'";

Info from a trusted source, phpbbs own site: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=153818

swedguy · 12-04-2003, 12:05 PM

a last bump

ZoiNk · 12-04-2003, 12:18 PM

A lot of ppl use that, hope everyone gets their fixed fast.
*mini bump*
ZoiNk

davvve · 12-04-2003, 12:22 PM

Thanks for letting us know!

Smokey The Bear · 12-04-2003, 02:38 PM

12-03-2003, 08:14 PM	#2
ThePornPusher Confirmed User Join Date: Oct 2003 Location: Long Island,New York Posts: 1,823	Thanks for the heads up... __________________

12-03-2003, 08:16 PM	#3
dirtysouth Confirmed User Join Date: Jul 2003 Location: Mobtown Posts: 2,613	Thanks! __________________ no sig

12-03-2003, 08:57 PM	#4
extreme Confirmed User Industry Role: Join Date: Oct 2002 Location: lalaland Posts: 2,120	open search.php, line ~685: Replace Code: if ( intval($search_id) ) { $sql = "SELECT search_array FROM " . SEARCH_TABLE . " WHERE search_id = $search_id AND session_id = '". $userdata['session_id'] . "'"; with Code: $search_id = intval($search_id); if ( $search_id ) { $sql = "SELECT search_array FROM " . SEARCH_TABLE . " WHERE search_id = $search_id AND session_id = '". $userdata['session_id'] . "'"; Info from a trusted source, phpbbs own site: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=153818 __________________ Browse and find new paysites with screenshot-preview Export FHGs/FLVs/Paysites by JSON, XML, CSV and Text Find FHGs/FLVs/Paysites from any given Category or Search-query

12-04-2003, 12:18 PM	#6
ZoiNk Confirmed User Join Date: Feb 2002 Location: Canada Posts: 2,370	A lot of ppl use that, hope everyone gets their fixed fast. mini bump ZoiNk __________________ "People can have the Model T in any color - so long as it's black." - Henry Ford

12-04-2003, 12:22 PM	#7
davvve Confirmed User Join Date: Mar 2002 Location: Europe / India Posts: 560	Thanks for letting us know! __________________ Graphic Artist- $1400 \| Developer - $1400 Email/MSN: [email protected]

12-04-2003, 12:05 PM	#5
swedguy Confirmed User Industry Role: Join Date: Jan 2002 Posts: 7,981	a last bump

12-04-2003, 02:38 PM	#8
Smokey The Bear So Fucking Banned Join Date: Dec 2003 Location: South Of Heaven™ Posts: 3,880