For those who have not yet installed the phpBB packages fixing the XSS vulnerability in privmsg.php documented at <http://www.securityfocus.com/bid/9290> and the groupcp.php vulnerability, or for those who do not want to download the new packages, the following patches can be quickly and easily applied to patch the vulnerabilities: ---CUT--- --- privmsg.php 2003-07-20 11:42:23.000000000 -0400 +++ privmsg.1.php 2004-01-27 13:58:41.000000000 -0500 @@ -58,6 +58,7 @@ if ( isset($HTTP_POST_VARS['folder']) || isset($HTTP_GET_VARS['folder']) ) { $folder = ( isset($HTTP_POST_VARS['folder']) ) ? $HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder']; +$folder = htmlspecialchars($folder); if ( $folder != 'inbox' && $folder != 'outbox' && $folder != 'sentbox' && $folder != 'savebox' ) { @@ -102,6 +103,7 @@ if ( !empty($HTTP_POST_VARS['mode']) || !empty($HTTP_GET_VARS['mode']) ) { $mode = ( !empty($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode']; + $mode = htmlspecialchars($mode); } else { ---CUT--- Apply the patch: patch privmsg.php phpbb2-xss.patch And: ---CUT--- --- groupcp.php 2004-01-27 15:14:46.000000000 -0500 +++ groupcp.1.php 2004-01-27 15:11:10.000000000 -0500 @@ -22,6 +22,7 @@ define('IN_PHPBB', true); $phpbb_root_path = './'; +$memberval = intval($members[$i]); include($phpbb_root_path . 'extension.inc'); include($phpbb_root_path . 'common.'.$phpEx); mem @@ -137,6 +138,7 @@ if ( isset($HTTP_POST_VARS['mode']) || isset($HTTP_GET_VARS['mode']) ) { $mode = ( isset($HTTP_POST_VARS['mode']) ) ? $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode']; + $mode = htmlspecialchars($mode); } else { @@ -590,7 +592,7 @@ $sql_in = ''; for($i = 0; $i < count($members); $i++) { - $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . $members[$i]; + $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) . $memberval; } if ( isset($HTTP_POST_VARS['approve']) ) ---CUT--- Apply the patch: patch groupcp.php phpbb2-groupcp.patch Applying the above patches will fix the phpBB2 privmsg.php XSS vulnerability, and the input validation error vulnerability in the groupcp.php script. Thank you for your time. Shaun. ________________________________________________________________________ BT Yahoo! Broadband - Free modem offer, sign up online today and save £80 http://btyahoo.yahoo.co.uk
