[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Possible phpBB <=2.0.11 bug or sql injection?

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Possible phpBB <=2.0.11 bug or sql injection?
From: "kaosone+[ONE]+" <kaosone@xxxxxxxxx>
Date: Sat, 19 Feb 2005 13:29:41 +0100

On 17 Feb 2005 09:54:57 -0000, jtm297@xxxxxxxxxxxxx
<jtm297@xxxxxxxxxxxxx> wrote:
> 
> It seems it has something to do with the the \'s *'s and length. I am not 
> sure if this is a big bug but I decided to try that after looking at 
> search.php

look at 

function phpbb_clean_username($username)
{
        $username = htmlspecialchars(rtrim(trim($username), "\\"));
        $username = substr(str_replace("\\'", "'", $username), 0, 25);
        $username = str_replace("'", "\\'", $username);

        return $username;
}

the problem is in the substr;
take for exemple phpbb_clean_username("aaaaaaaaaaaaaaaaaaaaaaaa\a")

$username = htmlspecialchars(rtrim(trim($username), "\\"));
// username not changed aaaaaaaaaaaaaaaaaaaaaaaa\a
$username = substr(str_replace("\\'", "'", $username), 0, 25);
// username become  aaaaaaaaaaaaaaaaaaaaaaaa\

and the query become

SELECT user_id FROM phpbb_users WHERE username LIKE 'aaaaaaaaaaaaaaaaaaaaaaaa\' 
(notice the last ' escaped)

a quick fix is to add $username = rtrim($username, "\\") before the
function returns

References:
- Possible phpBB <=2.0.11 bug or sql injection?
  - From: jtm297

Prev by Date: Re: Joint encryption?
Next by Date: Re: Combining Hashes
Previous by thread: RE: Possible phpBB <=2.0.11 bug or sql injection?
Next by thread: Re: Possible phpBB <=2.0.11 bug or sql injection?
Index(es):
- Date
- Thread