- Plug another SQL injection vulnerability

Exploit posted at: http://www.securityfocus.com/archive/1/358708 Patch obtained from: http://www.securityfocus.com/archive/1/358751 PR: ports/64803 Submitted by: Kang Liu <liukang@bjpu.edu.cn> (maintainer)
svn path=/head/; revision=105424
2025-02-08 12:01:56 +00:00 · 2004-03-27 15:07:16 +00:00 · 2004-03-27 15:07:16 +00:00 · fbfb1933d4 · 2021-03-31 03:12:20 +00:00
commit fbfb1933d4
parent ed11cfda6d
2 changed files with 23 additions and 0 deletions
--- a/www/phpbb/Makefile
+++ b/www/phpbb/Makefile
@ -7,6 +7,7 @@

 PORTNAME=	phpbb
 PORTVERSION=	2.0.8
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
@ -60,6 +61,7 @@ pre-everything::
 post-patch:
 	@ ${REINPLACE_CMD} -e "s#\.\./templates#/${PHPBBURL}/templates#" \
 	  ${WRKSRC}/docs/*.html
+	@ ${RM} ${WRKSRC}/*.orig

 post-configure:
 	@ ${SED} \
--- a/www/phpbb/files/patch-privmsg.php
+++ b/www/phpbb/files/patch-privmsg.php
@ -0,0 +1,21 @@
+--- privmsg.php	2004-03-18 19:51:32.000000000 +0000
+++ privmsg.1.php	2004-03-26 19:51:07.000000000 +0000
+@@ -212,7 +212,17 @@
+ 			break;
+ 		case 'savebox':
+ 			$l_box_name = $lang['Savebox'];
+-			$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
+			
+			//
+			// For some obscure reason, the assignment 
+			// concatenation operator was coded below, which 
+			// allowed an attacker to append arbitrary SQL code
+			// to the end of the $pm_sql_user variable.
+			// This is fixed below.
+			//
+			// -shaun2k2
+			//
+			$pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
+ 					AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " ) 
+ 				OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "
+ 					AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " )