Re: Fw: phpBB privmsg.php XSS vulnerability patch.

[Micheal Cottingham <micheal@michealcottingham.com>]

I'm going to regret replying to this as many people seem to abuse 
autoresponders and I end up with 50+ emails saying so-and-so is out of 
the office ...

If you think you have found a security hole with phpBB, contact the 
security email address ... I assure you they won't bite your head off 
for notifying them, even if it turns out to be a false alarm.

International Veneer Co., Inc. wrote:

> ----- Original Message ----- 
> From: "Shaun Colley" <shaunige@yahoo.co.uk>
> To: <bugtraq@securityfocus.com>
> Sent: Wednesday, January 28, 2004 10:39 AM
> Subject: phpBB privmsg.php XSS vulnerability patch.
>
>
> For those who have not yet installed the phpBB
> packages fixing the XSS vulnerability in privmsg.php
> documented at <http://www.securityfocus.com/bid/9290>
> and the groupcp.php vulnerability, or for those who do
> not want to download the new packages, the following
> patches can be quickly and easily applied to patch the
> vulnerabilities:
>
>
> ---CUT---
> --- privmsg.php 2003-07-20 11:42:23.000000000 -0400
> +++ privmsg.1.php 2004-01-27 13:58:41.000000000 -0500
> @@ -58,6 +58,7 @@
> if ( isset($HTTP_POST_VARS['folder']) ||
> isset($HTTP_GET_VARS['folder']) )
> {
>  $folder = ( isset($HTTP_POST_VARS['folder']) ) ?
> $HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder'];
> +$folder = htmlspecialchars($folder);
>
>  if ( $folder != 'inbox' && $folder != 'outbox' &&
> $folder != 'sentbox' && $folder != 'savebox' )
>  {
> @@ -102,6 +103,7 @@
> if ( !empty($HTTP_POST_VARS['mode']) ||
> !empty($HTTP_GET_VARS['mode']) )
> {
>  $mode = ( !empty($HTTP_POST_VARS['mode']) ) ?
> $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
> + $mode = htmlspecialchars($mode);
> }
> else
> {
> ---CUT---
>
> Apply the patch:
>
> patch privmsg.php phpbb2-xss.patch
>
>
>
> And:
>
>
> ---CUT---
> --- groupcp.php 2004-01-27 15:14:46.000000000 -0500
> +++ groupcp.1.php 2004-01-27 15:11:10.000000000 -0500
> @@ -22,6 +22,7 @@
>
> define('IN_PHPBB', true);
> $phpbb_root_path = './';
> +$memberval = intval($members[$i]);
> include($phpbb_root_path . 'extension.inc');
> include($phpbb_root_path . 'common.'.$phpEx);
> mem
> @@ -137,6 +138,7 @@
> if ( isset($HTTP_POST_VARS['mode']) ||
> isset($HTTP_GET_VARS['mode']) )
> {
>  $mode = ( isset($HTTP_POST_VARS['mode']) ) ?
> $HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
> + $mode = htmlspecialchars($mode);
> }
> else
> {
> @@ -590,7 +592,7 @@
>  $sql_in = '';
>  for($i = 0; $i < count($members); $i++)
>  {
> - $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
> $members[$i];
> + $sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
> $memberval;
>  }
>
>  if ( isset($HTTP_POST_VARS['approve']) )
> ---CUT---
>
>
> Apply the patch:
>
> patch groupcp.php phpbb2-groupcp.patch
>
>
>
> Applying the above patches will fix the phpBB2
> privmsg.php XSS vulnerability, and the input
> validation error vulnerability in the groupcp.php
> script.
>
>
>
> Thank you for your time.
> Shaun.
>
> ________________________________________________________________________
> BT Yahoo! Broadband - Free modem offer, sign up online today and save £80
> http://btyahoo.yahoo.co.uk
>
>
>