makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-27 21:58:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

fixed several vulnerabilities in modcp

Browse source 
git-svn-id: file:///svn/phpbb/branches/phpBB-2_0_0@4331 89ea8834-ac86-4346-8a33-228a782c2dd0
This commit is contained in:
Meik Sievertsen 2003-07-26 11:41:35 +00:00
parent e8fdeae5a3
commit 838a883631
3 changed files with 50 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
phpBB/docs/CHANGELOG.html
View file

@ -65,6 +65,7 @@ p,ul,td {font-size:10pt;}
<li>Fixed vulnerability allowing server side variable access in search - <b>tendor</b></li> <li>Fixed vulnerability allowing server side variable access in search - <b>tendor</b></li>
<li>Fixed potential vulnerability in 2.0.5 login username entry - <b>throw away/eomer</b></li> <li>Fixed potential vulnerability in 2.0.5 login username entry - <b>throw away/eomer</b></li>
<li>Fixed sql injection with reset date format field in profile - <b>tendor</b></li> <li>Fixed sql injection with reset date format field in profile - <b>tendor</b></li>
<li>Fixed several vulnerabilities in modcp - <b>Robert Lavierck</b></li>
</ul> </ul>
<a name="204"></a><h3 class="h3">1.ii. Changes since 2.0.4</h3> <a name="204"></a><h3 class="h3">1.ii. Changes since 2.0.4</h3>

9
phpBB/includes/emailer.php
View file

@ -36,13 +36,14 @@ class emailer
{ {
$this->reset(); $this->reset();
$this->use_smtp = $use_smtp; $this->use_smtp = $use_smtp;
$this->reply_to = $this->from = '';
} }
// Resets all the data (address, template file, etc etc to default // Resets all the data (address, template file, etc etc to default
function reset() function reset()
{ {
$this->addresses = array(); $this->addresses = array();
$this->vars = $this->msg = $this->extra_headers = $this->replyto = $this->from = ''; $this->vars = $this->msg = $this->extra_headers = '';
} }
// Sets an email address to send to // Sets an email address to send to
@ -63,7 +64,7 @@ class emailer
function replyto($address) function replyto($address)
{ {
$this->replyto = trim($address); $this->reply_to = trim($address);
} }
function from($address) function from($address)
@ -191,7 +192,7 @@ class emailer
$bcc = (count($this->addresses['bcc'])) ? implode(', ', $this->addresses['bcc']) : ''; $bcc = (count($this->addresses['bcc'])) ? implode(', ', $this->addresses['bcc']) : '';
// Build header // Build header
$this->extra_headers = (($this->replyto != '') ? "Reply-to: $this->replyto\n" : '') . (($this->from != '') ? "From: $this->from\n" : "From: " . $board_config['board_email'] . "\n") . "Return-Path: " . $board_config['board_email'] . "\nMessage-ID: <" . md5(uniqid(time())) . "@" . $board_config['server_name'] . ">\nMIME-Version: 1.0\nContent-type: text/plain; charset=" . $this->encoding . "\nContent-transfer-encoding: 8bit\nDate: " . date('r', time()) . "\nX-Priority: 3\nX-MSMail-Priority: Normal\nX-Mailer: PHP\nX-MimeOLE: Produced By phpBB2\n" . $this->extra_headers . (($cc != '') ? "Cc: $cc\n" : '') . (($bcc != '') ? "Bcc: $bcc\n" : ''); $this->extra_headers = (($this->reply_to != '') ? "Reply-to: $this->reply_to\n" : '') . (($this->from != '') ? "From: $this->from\n" : "From: " . $board_config['board_email'] . "\n") . "Return-Path: " . $board_config['board_email'] . "\nMessage-ID: <" . md5(uniqid(time())) . "@" . $board_config['server_name'] . ">\nMIME-Version: 1.0\nContent-type: text/plain; charset=" . $this->encoding . "\nContent-transfer-encoding: 8bit\nDate: " . date('r', time()) . "\nX-Priority: 3\nX-MSMail-Priority: Normal\nX-Mailer: PHP\nX-MimeOLE: Produced By phpBB2\n" . $this->extra_headers . (($cc != '') ? "Cc: $cc\n" : '') . (($bcc != '') ? "Bcc: $bcc\n" : '');
// Send message ... removed $this->encode() from subject for time being // Send message ... removed $this->encode() from subject for time being
if ( $this->use_smtp ) if ( $this->use_smtp )
@ -260,7 +261,7 @@ class emailer
$str = chunk_split(base64_encode($str), $length, $spacer); $str = chunk_split(base64_encode($str), $length, $spacer);
// remove trailing spacer and add start and end delimiters // remove trailing spacer and add start and end delimiters
$str = preg_replace('#' . phpbb_preg_quote($spacer) . '$#', '', $str); $str = preg_replace('#' . phpbb_preg_quote($spacer, '#') . '$#', '', $str);
return $start . $str . $end; return $start . $str . $end;
} }

53
phpBB/modcp.php
View file

@ -221,14 +221,30 @@ switch( $mode )
{ {
include($phpbb_root_path . 'includes/functions_search.'.$phpEx); include($phpbb_root_path . 'includes/functions_search.'.$phpEx);
$topics = ( isset($HTTP_POST_VARS['topic_id_list']) ) ? $HTTP_POST_VARS['topic_id_list'] : array($topic_id); $topics = ( isset($HTTP_POST_VARS['topic_id_list']) ) ? $HTTP_POST_VARS['topic_id_list'] : array($topic_id);
$topic_id_sql = ''; $topic_id_sql = '';
for($i = 0; $i < count($topics); $i++) for($i = 0; $i < count($topics); $i++)
{ {
$topic_id_sql .= ( ( $topic_id_sql != '' ) ? ', ' : '' ) . $topics[$i]; $topic_id_sql .= ( ( $topic_id_sql != '' ) ? ', ' : '' ) . intval($topics[$i]);
} }
$sql = "SELECT topic_id
FROM " . TOPICS_TABLE . "
WHERE topic_id IN ($topic_id_sql)
AND forum_id = $forum_id";
if ( !($result = $db->sql_query($sql)) )
{
message_die(GENERAL_ERROR, 'Could not get topic id information', '', __LINE__, __FILE__, $sql);
}
$topic_id_sql = '';
while ($row = $db->sql_fetchrow($result))
{
$topic_id_sql .= (($topic_id_sql != '') ? ', ' : '') . intval($row['topic_id']);
}
$db->sql_freeresult($result);
$sql = "SELECT poster_id, COUNT(post_id) AS posts $sql = "SELECT poster_id, COUNT(post_id) AS posts
FROM " . POSTS_TABLE . " FROM " . POSTS_TABLE . "
WHERE topic_id IN ($topic_id_sql) WHERE topic_id IN ($topic_id_sql)
@ -269,7 +285,7 @@ switch( $mode )
$post_id_sql = ''; $post_id_sql = '';
while ( $row = $db->sql_fetchrow($result) ) while ( $row = $db->sql_fetchrow($result) )
{ {
$post_id_sql .= ( ( $post_id_sql != '' ) ? ', ' : '' ) . $row['post_id']; $post_id_sql .= ( ( $post_id_sql != '' ) ? ', ' : '' ) . intval($row['post_id']);
} }
$db->sql_freeresult($result); $db->sql_freeresult($result);
@ -433,7 +449,7 @@ switch( $mode )
message_die(GENERAL_MESSAGE, $lang['None_selected']); message_die(GENERAL_MESSAGE, $lang['None_selected']);
} }
$new_forum_id = $HTTP_POST_VARS['new_forum']; $new_forum_id = intval($HTTP_POST_VARS['new_forum']);
$old_forum_id = $forum_id; $old_forum_id = $forum_id;
if ( $new_forum_id != $old_forum_id ) if ( $new_forum_id != $old_forum_id )
@ -448,7 +464,8 @@ switch( $mode )
$sql = "SELECT * $sql = "SELECT *
FROM " . TOPICS_TABLE . " FROM " . TOPICS_TABLE . "
WHERE topic_id IN ($topic_list) WHERE topic_id IN ($topic_list)
AND forum_id = $old_forum_id
AND topic_status <> " . TOPIC_MOVED; AND topic_status <> " . TOPIC_MOVED;
if ( !($result = $db->sql_query($sql, BEGIN_TRANSACTION)) ) if ( !($result = $db->sql_query($sql, BEGIN_TRANSACTION)) )
{ {
@ -582,12 +599,13 @@ switch( $mode )
$topic_id_sql = ''; $topic_id_sql = '';
for($i = 0; $i < count($topics); $i++) for($i = 0; $i < count($topics); $i++)
{ {
$topic_id_sql .= ( ( $topic_id_sql != '' ) ? ', ' : '' ) . $topics[$i]; $topic_id_sql .= ( ( $topic_id_sql != '' ) ? ', ' : '' ) . intval($topics[$i]);
} }
$sql = "UPDATE " . TOPICS_TABLE . " $sql = "UPDATE " . TOPICS_TABLE . "
SET topic_status = " . TOPIC_LOCKED . " SET topic_status = " . TOPIC_LOCKED . "
WHERE topic_id IN ($topic_id_sql) WHERE topic_id IN ($topic_id_sql)
AND forum_id = $forum_id
AND topic_moved_id = 0"; AND topic_moved_id = 0";
if ( !($result = $db->sql_query($sql)) ) if ( !($result = $db->sql_query($sql)) )
{ {
@ -626,12 +644,13 @@ switch( $mode )
$topic_id_sql = ''; $topic_id_sql = '';
for($i = 0; $i < count($topics); $i++) for($i = 0; $i < count($topics); $i++)
{ {
$topic_id_sql .= ( ( $topic_id_sql != "") ? ', ' : '' ) . $topics[$i]; $topic_id_sql .= ( ( $topic_id_sql != "") ? ', ' : '' ) . intval($topics[$i]);
} }
$sql = "UPDATE " . TOPICS_TABLE . " $sql = "UPDATE " . TOPICS_TABLE . "
SET topic_status = " . TOPIC_UNLOCKED . " SET topic_status = " . TOPIC_UNLOCKED . "
WHERE topic_id IN ($topic_id_sql) WHERE topic_id IN ($topic_id_sql)
AND forum_id = $forum_id
AND topic_moved_id = 0"; AND topic_moved_id = 0";
if ( !($result = $db->sql_query($sql)) ) if ( !($result = $db->sql_query($sql)) )
{ {
@ -677,6 +696,21 @@ switch( $mode )
if ($post_id_sql != '') if ($post_id_sql != '')
{ {
$sql = "SELECT post_id
FROM " . POSTS_TABLE . "
WHERE post_id IN ($post_id_sql)
AND forum_id = $forum_id";
if ( !($result = $db->sql_query($sql)) )
{
message_die(GENERAL_ERROR, 'Could not get post id information', '', __LINE__, __FILE__, $sql);
}
$post_id_sql = '';
while ($row = $db->sql_fetchrow($result))
{
$post_id_sql .= (($post_id_sql != '') ? ', ' : '') . intval($row['post_id']);
}
$db->sql_freeresult($result);
$sql = "SELECT post_id, poster_id, topic_id, post_time $sql = "SELECT post_id, poster_id, topic_id, post_time
FROM " . POSTS_TABLE . " FROM " . POSTS_TABLE . "
@ -710,7 +744,7 @@ switch( $mode )
$new_forum_id = intval($HTTP_POST_VARS['new_forum_id']); $new_forum_id = intval($HTTP_POST_VARS['new_forum_id']);
$topic_time = time(); $topic_time = time();
$sql = "INSERT INTO " . TOPICS_TABLE . " (topic_title, topic_poster, topic_time, forum_id, topic_status, topic_type) $sql = "INSERT INTO " . TOPICS_TABLE . " (topic_title, topic_poster, topic_time, forum_id, topic_status, topic_type)
VALUES ('" . str_replace("\'", "''", $post_subject) . "', $first_poster, " . $topic_time . ", $new_forum_id, " . TOPIC_UNLOCKED . ", " . POST_NORMAL . ")"; VALUES ('" . str_replace("\'", "''", $post_subject) . "', $first_poster, " . $topic_time . ", $new_forum_id, " . TOPIC_UNLOCKED . ", " . POST_NORMAL . ")";
if (!($db->sql_query($sql, BEGIN_TRANSACTION))) if (!($db->sql_query($sql, BEGIN_TRANSACTION)))
@ -901,7 +935,8 @@ switch( $mode )
// Look up relevent data for this post // Look up relevent data for this post
$sql = "SELECT poster_ip, poster_id $sql = "SELECT poster_ip, poster_id
FROM " . POSTS_TABLE . " FROM " . POSTS_TABLE . "
WHERE post_id = $post_id"; WHERE post_id = $post_id
AND forum_id = $forum_id";
if ( !($result = $db->sql_query($sql)) ) if ( !($result = $db->sql_query($sql)) )
{ {
message_die(GENERAL_ERROR, 'Could not get poster IP information', '', __LINE__, __FILE__, $sql); message_die(GENERAL_ERROR, 'Could not get poster IP information', '', __LINE__, __FILE__, $sql);