makary/phpbb
1
0
Fork 0
mirror of https://github.com/phpbb/phpbb.git synced 2025-06-28 14:18:52 +00:00
Code Issues Projects Releases Packages Wiki Activity

[feature/attach-dl] Exploit topic_id of attachment => no posts table query

Browse source 
PHPBB3-11042
This commit is contained in:
Andreas Fischer 2012-08-10 03:02:00 +02:00
parent 11129a5950
commit 9b7b794beb
1 changed files with 8 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
phpBB/download/file.php
View file

@ -172,7 +172,7 @@ else
trigger_error('NO_ATTACHMENT_SELECTED'); trigger_error('NO_ATTACHMENT_SELECTED');
} }
$sql = 'SELECT attach_id, post_msg_id, in_message, is_orphan, physical_filename, real_filename, extension, mimetype, filesize, filetime $sql = 'SELECT attach_id, post_msg_id, topic_id, in_message, is_orphan, physical_filename, real_filename, extension, mimetype, filesize, filetime
FROM ' . ATTACHMENTS_TABLE . " FROM ' . ATTACHMENTS_TABLE . "
WHERE $sql_where"; WHERE $sql_where";
$result = $db->sql_query($sql); $result = $db->sql_query($sql);
@ -189,6 +189,9 @@ while ($row = $db->sql_fetchrow($result))
} }
$db->sql_freeresult($result); $db->sql_freeresult($result);
// Make $attachment the first of the attachments we fetched.
$attachment = current($attachments);
if (empty($attachments)) if (empty($attachments))
{ {
send_status_line(404, 'Not Found'); send_status_line(404, 'Not Found');
@ -202,7 +205,6 @@ else if (!download_allowed())
else if ($download_id) else if ($download_id)
{ {
// sizeof($attachments) == 1 // sizeof($attachments) == 1
$attachment = current($attachments);
if (!$attachment['in_message'] && !$config['allow_attachments'] || $attachment['in_message'] && !$config['allow_pm_attach']) if (!$attachment['in_message'] && !$config['allow_attachments'] || $attachment['in_message'] && !$config['allow_pm_attach'])
{ {
@ -347,21 +349,11 @@ else if ($download_id)
else else
{ {
// sizeof($attachments) >= 1 // sizeof($attachments) >= 1
if ($post_id)
{
$sql = 'SELECT p.forum_id, f.forum_password, f.parent_id
FROM ' . POSTS_TABLE . ' p, ' . FORUMS_TABLE . " f
WHERE p.post_id = $post_id
AND p.forum_id = f.forum_id";
}
else if ($topic_id)
{
$sql = 'SELECT t.forum_id, f.forum_password, f.parent_id $sql = 'SELECT t.forum_id, f.forum_password, f.parent_id
FROM ' . TOPICS_TABLE . ' t, ' . FORUMS_TABLE . " f FROM ' . TOPICS_TABLE . ' t, ' . FORUMS_TABLE . " f
WHERE t.topic_id = $topic_id WHERE t.topic_id = " . (int) $attachment['topic_id'] . "
AND t.forum_id = f.forum_id"; AND t.forum_id = f.forum_id";
}
$result = $db->sql_query_limit($sql, 1); $result = $db->sql_query_limit($sql, 1);
$row = $db->sql_fetchrow($result); $row = $db->sql_fetchrow($result);
$db->sql_freeresult($result); $db->sql_freeresult($result);