Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: Frequently Exploited :: hack0714.htm

phpBB privmsg.php XSS vulnerability patch.



phpBB privmsg.php XSS vulnerability patch.

For those who have not yet installed the phpBB
packages fixing the XSS vulnerability in privmsg.php
documented at  
and the groupcp.php vulnerability, or for those who do
not want to download the new packages, the following
patches can be quickly and easily applied to patch the
vulnerabilities:


---CUT---
--- privmsg.php	2003-07-20 11:42:23.000000000 -0400
+++ privmsg.1.php	2004-01-27 13:58:41.000000000 -0500
@@ -58,6 +58,7 @@
 if ( isset($HTTP_POST_VARS['folder']) ||
isset($HTTP_GET_VARS['folder']) )
 {
 	$folder = ( isset($HTTP_POST_VARS['folder']) ) ?
$HTTP_POST_VARS['folder'] : $HTTP_GET_VARS['folder'];
+$folder = htmlspecialchars($folder);
 
 	if ( $folder != 'inbox' && $folder != 'outbox' &&
$folder != 'sentbox' && $folder != 'savebox' )
 	{
@@ -102,6 +103,7 @@
 if ( !empty($HTTP_POST_VARS['mode']) ||
!empty($HTTP_GET_VARS['mode']) )
 {
 	$mode = ( !empty($HTTP_POST_VARS['mode']) ) ?
$HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
+	$mode = htmlspecialchars($mode);
 }
 else
 {
---CUT---

Apply the patch:

patch privmsg.php phpbb2-xss.patch



And:


---CUT---
--- groupcp.php	2004-01-27 15:14:46.000000000 -0500
+++ groupcp.1.php	2004-01-27 15:11:10.000000000 -0500
@@ -22,6 +22,7 @@
 
 define('IN_PHPBB', true);
 $phpbb_root_path = './';
+$memberval = intval($members[$i]);
 include($phpbb_root_path . 'extension.inc');
 include($phpbb_root_path . 'common.'.$phpEx);
 mem
@@ -137,6 +138,7 @@
 if ( isset($HTTP_POST_VARS['mode']) ||
isset($HTTP_GET_VARS['mode']) )
 {
 	$mode = ( isset($HTTP_POST_VARS['mode']) ) ?
$HTTP_POST_VARS['mode'] : $HTTP_GET_VARS['mode'];
+	$mode = htmlspecialchars($mode);
 }
 else
 {
@@ -590,7 +592,7 @@
 					$sql_in = '';
 					for($i = 0; $i < count($members); $i++)
 					{
-						$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
$members[$i];
+						$sql_in .= ( ( $sql_in != '' ) ? ', ' : '' ) .
$memberval;
 					}
 
 					if ( isset($HTTP_POST_VARS['approve']) )
---CUT---


Apply the patch:

patch groupcp.php phpbb2-groupcp.patch



Applying the above patches will fix the phpBB2
privmsg.php XSS vulnerability, and the input
validation error vulnerability in the groupcp.php
script.



Thank you for your time.
Shaun.

________________________________________________________________________
BT Yahoo! Broadband - Free modem offer, sign up online today and save 80 http://btyahoo.yahoo.co.uk 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH