Date: Mon, 07 Jul 2003 11:53:19 +0800 From: "Kang Liu" <lazykang@hotmail.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/54165: [patch]fix 2 serious problem in phpbb 2.0.5 Message-ID: <BAY8-F108E4MxpItagu0000a5fc@hotmail.com> Resent-Message-ID: <200307070400.h6740ZjR095672@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 54165 >Category: ports >Synopsis: [patch]fix 2 serious problem in phpbb 2.0.5 >Confidential: yes >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Sun Jul 06 21:00:35 PDT 2003 >Closed-Date: >Last-Modified: >Originator: >Release: >Organization: >Environment: >Description: phpbb 2.0.5 contains 2 serious problem: 1. SQL injection vulnerability in viewtopic.php (reference: http://www.phpbb.com/phpBB/viewtopic.php?t=112052) 2. potential vulnerability in admin/admin_styles.php (reference: http://www.phpbb.com/phpBB/viewtopic.php?t=113826) I must apologize that I just update phpbb to 2.0.5 but didn't fix those 2 vulnerability although I mention it in my last PR. ports/53691 http://www.freebsd.org/cgi/query-pr.cgi?pr=53691 :-( >How-To-Repeat: n/a >Fix: --- Makefile.orig Sun Jul 6 23:19:39 2003 +++ Makefile Mon Jul 7 02:02:54 2003 @@ -7,7 +7,7 @@ PORTNAME= phpbb PORTVERSION= 2.0.5 -#PORTREVISION= 1 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= ${PORTNAME} @@ -59,6 +59,8 @@ post-patch: @ ${REINPLACE_CMD} -e "s#\.\./templates#/${PHPBBURL}/templates#" \ ${WRKSRC}/docs/*.html + @ ${RM} ${WRKSRC}/viewtopic.php.orig + @ ${RM} ${WRKSRC}/admin/admin_styles.php.orig post-configure: @ ${SED} \ --- /dev/null Mon Jul 7 03:13:23 2003 +++ files/patch-aa Mon Jul 7 03:10:51 2003 @@ -0,0 +1,26 @@ +--- viewtopic.php.orig Mon Jul 7 03:06:30 2003 ++++ viewtopic.php Mon Jul 7 03:10:27 2003 +@@ -29,6 +29,7 @@ + // + // Start initial var setup + // ++$topic_id = $post_id = false; + if ( isset($HTTP_GET_VARS[POST_TOPIC_URL]) ) + { + $topic_id = intval($HTTP_GET_VARS[POST_TOPIC_URL]); +@@ -134,11 +135,11 @@ + // also allows for direct linking to a post (and the calculation of which + // page the post is on and the correct display of viewtopic) + // +-$join_sql_table = ( !isset($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 "; +-$join_sql = ( !isset($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id"; +-$count_sql = ( !isset($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts"; ++$join_sql_table = ( empty($post_id) ) ? '' : ", " . POSTS_TABLE . " p, " . POSTS_TABLE . " p2 "; ++$join_sql = ( empty($post_id) ) ? "t.topic_id = $topic_id" : "p.post_id = $post_id AND t.topic_id = p.topic_id AND p2.topic_id = p.topic_id AND p2.post_id <= $post_id"; ++$count_sql = ( empty($post_id) ) ? '' : ", COUNT(p2.post_id) AS prev_posts"; + +-$order_sql = ( !isset($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC"; ++$order_sql = ( empty($post_id) ) ? '' : "GROUP BY p.post_id, t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments ORDER BY p.post_id ASC"; + + $sql = "SELECT t.topic_id, t.topic_title, t.topic_status, t.topic_replies, t.topic_time, t.topic_type, t.topic_vote, t.topic_last_post_id, f.forum_name, f.forum_status, f.forum_id, f.auth_view, f.auth_read, f.auth_post, f.auth_reply, f.auth_edit, f.auth_delete, f.auth_sticky, f.auth_announce, f.auth_pollcreate, f.auth_vote, f.auth_attachments" . $count_sql . " + FROM " . TOPICS_TABLE . " t, " . FORUMS_TABLE . " f" . $join_sql_table . " --- /dev/null Mon Jul 7 03:13:23 2003 +++ files/patch-ab Sun Jul 6 23:54:33 2003 @@ -0,0 +1,41 @@ +--- admin/admin_styles.php.orig Sun Jul 6 23:38:22 2003 ++++ admin/admin_styles.php Sun Jul 6 23:45:37 2003 +@@ -38,21 +38,19 @@ + // + // Check if the user has cancled a confirmation message. + // +-$phpbb_root_path = "./../"; ++$phpbb_root_path = "./../"; ++require($phpbb_root_path . 'extension.inc'); + +-$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE; +-$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE; ++$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE; ++$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE; + +-if (empty($HTTP_POST_VARS['send_file'])) +-{ +- $no_page_header = ( $cancel ) ? TRUE : FALSE; +- require($phpbb_root_path . 'extension.inc'); +- require('./pagestart.' . $phpEx); +-} ++$no_page_header = (!empty($HTTP_POST_VARS['send_file']) || $cancel) ? TRUE : FALSE; + +-if ($cancel) +-{ +- redirect('admin/' . append_sid("admin_styles.$phpEx", true)); ++require('./pagestart.' . $phpEx); ++ ++if ($cancel) ++{ ++ redirect('admin/' . append_sid("admin_styles.$phpEx", true)); + } + + if( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) ) +@@ -935,4 +933,4 @@ + include('./page_footer_admin.'.$phpEx); + } + +-?> +\ No newline at end of file ++?> _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus >Release-Note: >Audit-Trail: >Unformatted: >University of Technology Confidential: no Synopsis: fix 2 >vulnerability in phpbb 2.0.5 Severity: serious Priority: high System: FreeBSD ftp.bjpu.edu.cn 4.8-STABLE FreeBSD 4.8-STABLE #42: Sat Jul 5 14:55:11 CST 2003 root@ftp.bjpu.edu.cn:/usr/obj/usr/src/sys/FTP i386
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BAY8-F108E4MxpItagu0000a5fc>