Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Bugtraq: phpBB privmsg.php XSS vulnerability patch.

phpBB privmsg.php XSS vulnerability patch.

From: Shaun Colley <shaunige_at_yahoo.co.uk>
Date: Wed, 28 Jan 2004 15:39:44 +0000 (GMT)

For those who have not yet installed the phpBB
packages fixing the XSS vulnerability in privmsg.php
documented at <http://www.securityfocus.com/bid/9290>
and the groupcp.php vulnerability, or for those who do
not want to download the new packages, the following
patches can be quickly and easily applied to patch the
vulnerabilities:

---CUT---
--- privmsg.php 2003-07-20 11:42:23.000000000 -0400
+++ privmsg.1.php 2004-01-27 13:58:41.000000000 -0500
@@ -58,6 +58,7 @@
 if ( isset($HTTP_POST_VARS['folder']) ||
isset($HTTP_GET_VARS['folder']) )
 {
         $folder = ( isset($HTTP_POST_VARS['folder']) ) ?
$HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder'];
+$folder = htmlspecialchars($folder);
 
         if ( $folder != 'inbox' && $folder != 'outbox' &&
$folder != 'sentbox' && $folder != 'savebox' )
         {
@@ -102,6 +103,7 @@
 if ( !empty($HTTP_POST_VARS['mode']) ||
!empty($HTTP_GET_VARS['mode']) )
 {
         $mode = ( !empty($HTTP_POST_VARS['mode']) ) ?
$HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
+ $mode = htmlspecialchars($mode);
 }
 else
 {
---CUT---

Apply the patch:

patch privmsg.php phpbb2-xss.patch

And:

---CUT---
--- groupcp.php 2004-01-27 15:14:46.000000000 -0500
+++ groupcp.1.php 2004-01-27 15:11:10.000000000 -0500
@@ -22,6 +22,7 @@
 
 define('IN_PHPBB', true);
 $phpbb_root_path = './';
+$memberval = intval($members[$i]);
 include($phpbb_root_path . 'extension.inc');
 include($phpbb_root_path . 'common.'.$phpEx);
 mem
@@ -137,6 +138,7 @@
 if ( isset($HTTP_POST_VARS['mode']) ||
isset($HTTP_GET_VARS['mode']) )
 {
         $mode = ( isset($HTTP_POST_VARS['mode']) ) ?
$HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
+ $mode = htmlspecialchars($mode);
 }
 else
 {
@@ -590,7 +592,7 @@
                                         $sql_in = '';
                                         for($i = 0; $i < count($members); $i++)
                                         {
- $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
$members[$i];
+ $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
$memberval;
                                         }
 
                                         if ( isset($HTTP_POST_VARS['approve']) )
---CUT---

Apply the patch:

patch groupcp.php phpbb2-groupcp.patch

Applying the above patches will fix the phpBB2
privmsg.php XSS vulnerability, and the input
validation error vulnerability in the groupcp.php
script.

Thank you for your time.
Shaun.

________________________________________________________________________
BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 http://btyahoo.yahoo.co.uk
Received on Jan 28 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]