Hi, Here's the relevant patches, isolated from the upstream release.
On Sun, 2007-01-07 at 20:00 +0100, Thijs Kinkhorst wrote: > Hi, > > Thank you. I'm aware of the new release, but need to backport the > changes given that we're in a freeze. > > > CVE-2006-6841: > > Certain forms in phpBB before 2.0.22 lack session checks > > This is Cross Site Request Forgery. Indeed counter-CSRF, attached as sid.diff. > > CVE-2006-6840: > > Unspecified vulnerability in phpBB before 2.0.22 has unknown impact > > and remote attack vectors related to a "negative start parameter." > > This does not seem to warrant an update in its own: everything about it > is unkown. Still unknown how it can be exploited, but diff is attached and seems quite harmless. Fix just in case? start.diff > > CVE-2006-6839: > > Unspecified vulnerability in phpBB before 2.0.22 has unknown impact > > and remote attack vectors related to "criteria for 'bad' redirection > > targets." > > This is very vague again. Summarizing all three I do not see a 'grave' > issue between them, but will see what the patches look like and whether > they're acceptable for etch at this point. Attached as redir.diff, also seems quite harmless to include. In #402140: > 1) The application allows users to send messages via HTTP requests > without performing any validity checks to verify the request. This can > be exploited to send > messages to arbitrary users by e.g. tricking a target user into > visiting a malicious website. I'm quite sure that this is a duplicate of the CSRF above. > 2) Input passed to the form field "Message body" in privmsg.php is not > properly sanitised before it is returned to the user when sending > messages to a > non-existent user. This can be exploited to execute arbitrary HTML and > script code in a user's browser session in context of an affected > site. Attached as privmsg.diff. I think this is it. Jeroen: opinions on what to upload? Thijs
diff -Nur phpBB2.0.21/privmsg.php phpBB2.0.22/privmsg.php
--- phpBB2.0.21/privmsg.php 2006-06-09 16:29:43.000000000 +0200
+++ phpBB2.0.22/privmsg.php 2006-12-19 18:29:16.000000000 +0100
@@ -1376,7 +1385,7 @@
$privmsg_subject = ( isset($HTTP_POST_VARS['subject']) ) ? trim(htmlspecialchars(stripslashes($HTTP_POST_VARS['subject']))) : '';
$privmsg_message = ( isset($HTTP_POST_VARS['message']) ) ? trim($HTTP_POST_VARS['message']) : '';
- $privmsg_message = preg_replace('#<textarea>#si', '<textarea>', $privmsg_message);
+ // $privmsg_message = preg_replace('#<textarea>#si', '<textarea>', $privmsg_message);
if ( !$preview )
{
$privmsg_message = stripslashes($privmsg_message);
@@ -1480,7 +1489,7 @@
}
$privmsg_message = str_replace('<br />', "\n", $privmsg_message);
- $privmsg_message = preg_replace('#</textarea>#si', '</textarea>', $privmsg_message);
+ // $privmsg_message = preg_replace('#</textarea>#si', '</textarea>', $privmsg_message);
$user_sig = ( $board_config['allow_sig'] ) ? (($privmsg['privmsgs_type'] == PRIVMSGS_NEW_MAIL) ? $user_sig : $privmsg['user_sig']) : '';
@@ -1523,7 +1532,7 @@
$privmsg_message = preg_replace("/\:(([a-z0-9]:)?)$privmsg_bbcode_uid/si", '', $privmsg_message);
$privmsg_message = str_replace('<br />', "\n", $privmsg_message);
- $privmsg_message = preg_replace('#</textarea>#si', '</textarea>', $privmsg_message);
+ // $privmsg_message = preg_replace('#</textarea>#si', '</textarea>', $privmsg_message);
$privmsg_message = preg_replace($orig_word, $replacement_word, $privmsg_message);
$msg_date = create_date($board_config['default_dateformat'], $privmsg['privmsgs_date'], $board_config['board_timezone']);
@@ -1650,6 +1659,7 @@
//
if ($error)
{
+ $privmsg_message = htmlspecialchars($privmsg_message);
$template->set_filenames(array(
'reg_header' => 'error_body.tpl')
);
diff -Nur phpBB2.0.21/includes/functions.php phpBB2.0.22/includes/functions.php
--- phpBB2.0.21/includes/functions.php 2006-06-09 16:29:41.000000000 +0200
+++ phpBB2.0.22/includes/functions.php 2006-12-19 18:29:15.000000000 +0100
@@ -917,7 +917,7 @@
$db->sql_close();
}
- if (strstr(urldecode($url), "\n") || strstr(urldecode($url), "\r"))
+ if (strstr(urldecode($url), "\n") || strstr(urldecode($url), "\r") || strstr(urldecode($url), ';url'))
{
message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
}
diff -Nur phpBB2.0.21/login.php phpBB2.0.22/login.php
--- phpBB2.0.21/login.php 2006-06-09 16:29:42.000000000 +0200
+++ phpBB2.0.22/login.php 2006-12-19 18:29:16.000000000 +0100
@@ -123,7 +123,7 @@
$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : '';
$redirect = str_replace('?', '&', $redirect);
- if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r"))
+ if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r") || strstr(urldecode($redirect), ';url'))
{
message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
}
@@ -142,7 +142,7 @@
$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('&', '&', htmlspecialchars($HTTP_POST_VARS['redirect'])) : "";
$redirect = str_replace("?", "&", $redirect);
- if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r"))
+ if (strstr(urldecode($redirect), "\n") || strstr(urldecode($redirect), "\r") || strstr(urldecode($redirect), ';url'))
{
message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
}
diff -Nur phpBB2.0.21/includes/usercp_register.php phpBB2.0.22/includes/usercp_register.php
--- phpBB2.0.21/includes/usercp_register.php 2006-06-09 16:29:41.000000000 +0200
+++ phpBB2.0.22/includes/usercp_register.php 2006-12-19 18:29:15.000000000 +0100
@@ -144,6 +144,7 @@
$notifyreply = ( isset($HTTP_POST_VARS['notifyreply']) ) ? ( ($HTTP_POST_VARS['notifyreply']) ? TRUE : 0 ) : 0;
$notifypm = ( isset($HTTP_POST_VARS['notifypm']) ) ? ( ($HTTP_POST_VARS['notifypm']) ? TRUE : 0 ) : TRUE;
$popup_pm = ( isset($HTTP_POST_VARS['popup_pm']) ) ? ( ($HTTP_POST_VARS['popup_pm']) ? TRUE : 0 ) : TRUE;
+ $sid = (isset($HTTP_POST_VARS['sid'])) ? $HTTP_POST_VARS['sid'] : 0;
if ( $mode == 'register' )
{
@@ -253,6 +254,13 @@
{
include($phpbb_root_path . 'includes/usercp_avatar.'.$phpEx);
+ // session id check
+ if ($sid == '' || $sid != $userdata['session_id'])
+ {
+ $error = true;
+ $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . $lang['Session_invalid'];
+ }
+
$passwd_sql = '';
if ( $mode == 'editprofile' )
{
@@ -893,6 +901,7 @@
}
$s_hidden_fields = '<input type="hidden" name="mode" value="' . $mode . '" /><input type="hidden" name="agreed" value="true" /><input type="hidden" name="coppa" value="' . $coppa . '" />';
+ $s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
if( $mode == 'editprofile' )
{
$s_hidden_fields .= '<input type="hidden" name="user_id" value="' . $userdata['user_id'] . '" />';
diff -Nur phpBB2.0.21/language/lang_english/lang_main.php phpBB2.0.22/language/lang_english/lang_main.php
--- phpBB2.0.21/language/lang_english/lang_main.php 2006-06-09 16:29:42.000000000 +0200
+++ phpBB2.0.22/language/lang_english/lang_main.php 2006-12-19 18:29:15.000000000 +0100
@@ -1018,6 +1018,8 @@
$lang['Login_attempts_exceeded'] = 'The maximum number of %s login attempts has been exceeded. You are not allowed to login for the next %s minutes.';
$lang['Please_remove_install_contrib'] = 'Please ensure both the install/ and contrib/ directories are deleted';
+$lang['Session_invalid'] = 'Invalid Session. Please resubmit the form.';
+
//
// That's all, Folks!
// -------------------------------------------------
diff -Nur phpBB2.0.21/posting.php phpBB2.0.22/posting.php
--- phpBB2.0.21/posting.php 2006-06-09 16:29:43.000000000 +0200
+++ phpBB2.0.22/posting.php 2006-12-19 18:29:16.000000000 +0100
@@ -44,6 +44,7 @@
}
$confirm = isset($HTTP_POST_VARS['confirm']) ? true : false;
+$sid = (isset($HTTP_POST_VARS['sid'])) ? $HTTP_POST_VARS['sid'] : 0;
$params = array('forum_id' => POST_FORUM_URL, 'topic_id' => POST_TOPIC_URL, 'post_id' => POST_POST_URL);
while( list($var, $param) = @each($params) )
@@ -431,6 +431,7 @@
//
$s_hidden_fields = '<input type="hidden" name="' . POST_POST_URL . '" value="' . $post_id . '" />';
$s_hidden_fields .= ( $delete || $mode == "delete" ) ? '<input type="hidden" name="mode" value="delete" />' : '<input type="hidden" name="mode" value="poll_delete" />';
+ $s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
$l_confirm = ( $delete || $mode == 'delete' ) ? $lang['Confirm_delete'] : $lang['Confirm_delete_poll'];
@@ -542,6 +543,12 @@
$return_message = '';
$return_meta = '';
+ // session id check
+ if ($sid == '' || $sid != $userdata['session_id'])
+ {
+ $error_msg .= (!empty($error_msg)) ? '<br />' . $lang['Session_invalid'] : $lang['Session_invalid'];
+ }
+
switch ( $mode )
{
case 'editpost':
@@ -567,6 +574,11 @@
case 'delete':
case 'poll_delete':
+ if ($error_msg != '')
+ {
+ message_die(GENERAL_MESSAGE, $error_msg);
+ }
+
delete_post($mode, $post_data, $return_message, $return_meta, $forum_id, $topic_id, $post_id, $poll_id);
break;
}
@@ -929,6 +941,7 @@
}
$hidden_form_fields = '<input type="hidden" name="mode" value="' . $mode . '" />';
+$hidden_form_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
switch( $mode )
{
diff -Nur phpBB2.0.21/privmsg.php phpBB2.0.22/privmsg.php
--- phpBB2.0.21/privmsg.php 2006-06-09 16:29:43.000000000 +0200
+++ phpBB2.0.22/privmsg.php 2006-12-19 18:29:16.000000000 +0100
@@ -50,6 +50,7 @@
$delete = ( isset($HTTP_POST_VARS['delete']) ) ? TRUE : 0;
$delete_all = ( isset($HTTP_POST_VARS['deleteall']) ) ? TRUE : 0;
$save = ( isset($HTTP_POST_VARS['save']) ) ? TRUE : 0;
+$sid = (isset($HTTP_POST_VARS['sid'])) ? $HTTP_POST_VARS['sid'] : 0;
$refresh = $preview || $submit_search;
@@ -1161,6 +1163,13 @@
if ( $submit )
{
+ // session id check
+ if ($sid == '' || $sid != $userdata['session_id'])
+ {
+ $error = true;
+ $error_msg .= ( ( !empty($error_msg) ) ? '<br />' : '' ) . $lang['Session_invalid'];
+ }
+
if ( !empty($HTTP_POST_VARS['username']) )
{
$to_username = phpbb_clean_username($HTTP_POST_VARS['username']);
@@ -1736,6 +1746,7 @@
$s_hidden_fields = '<input type="hidden" name="folder" value="' . $folder . '" />';
$s_hidden_fields .= '<input type="hidden" name="mode" value="' . $mode . '" />';
+ $s_hidden_fields .= '<input type="hidden" name="sid" value="' . $userdata['session_id'] . '" />';
if ( $mode == 'edit' )
{
$s_hidden_fields .= '<input type="hidden" name="' . POST_POST_URL . '" value="' . $privmsg_id . '" />';
diff -Nur phpBB2.0.21/groupcp.php phpBB2.0.22/groupcp.php
--- phpBB2.0.21/groupcp.php 2006-06-09 16:29:42.000000000 +0200
+++ phpBB2.0.22/groupcp.php 2006-12-19 18:29:16.000000000 +0100
@@ -148,6 +148,7 @@
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : 0;
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
+$start = ($start < 0) ? 0 : $start;
//
// Default var values
diff -Nur phpBB2.0.21/memberlist.php phpBB2.0.22/memberlist.php
--- phpBB2.0.21/memberlist.php 2006-06-09 16:29:43.000000000 +0200
+++ phpBB2.0.22/memberlist.php 2006-12-19 18:29:16.000000000 +0100
@@ -34,6 +34,7 @@
//
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
+$start = ($start < 0) ? 0 : $start;
if ( isset($HTTP_GET_VARS['mode']) || isset($HTTP_POST_VARS['mode']) )
{
diff -Nur phpBB2.0.21/modcp.php phpBB2.0.22/modcp.php
--- phpBB2.0.21/modcp.php 2006-06-09 16:29:43.000000000 +0200
+++ phpBB2.0.22/modcp.php 2006-12-19 18:29:16.000000000 +0100
@@ -71,6 +71,7 @@
// Continue var definitions
//
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
+$start = ($start < 0) ? 0 : $start;
$delete = ( isset($HTTP_POST_VARS['delete']) ) ? TRUE : FALSE;
$move = ( isset($HTTP_POST_VARS['move']) ) ? TRUE : FALSE;
diff -Nur phpBB2.0.21/privmsg.php phpBB2.0.22/privmsg.php
--- phpBB2.0.21/privmsg.php 2006-06-09 16:29:43.000000000 +0200
+++ phpBB2.0.22/privmsg.php 2006-12-19 18:29:16.000000000 +0100
@@ -50,6 +50,7 @@
$delete = ( isset($HTTP_POST_VARS['delete']) ) ? TRUE : 0;
$delete_all = ( isset($HTTP_POST_VARS['deleteall']) ) ? TRUE : 0;
$save = ( isset($HTTP_POST_VARS['save']) ) ? TRUE : 0;
+$sid = (isset($HTTP_POST_VARS['sid'])) ? $HTTP_POST_VARS['sid'] : 0;
$refresh = $preview || $submit_search;
@@ -101,6 +102,7 @@
}
$start = ( !empty($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
+$start = ($start < 0) ? 0 : $start;
if ( isset($HTTP_POST_VARS[POST_POST_URL]) || isset($HTTP_GET_VARS[POST_POST_URL]) )
{
diff -Nur phpBB2.0.21/search.php phpBB2.0.22/search.php
--- phpBB2.0.21/search.php 2006-06-09 16:29:43.000000000 +0200
+++ phpBB2.0.22/search.php 2006-12-19 18:29:16.000000000 +0100
@@ -118,6 +118,7 @@
}
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
+$start = ($start < 0) ? 0 : $start;
$sort_by_types = array($lang['Sort_Time'], $lang['Sort_Post_Subject'], $lang['Sort_Topic_Title'], $lang['Sort_Author'], $lang['Sort_Forum']);
diff -Nur phpBB2.0.21/viewforum.php phpBB2.0.22/viewforum.php
--- phpBB2.0.21/viewforum.php 2006-06-09 16:29:43.000000000 +0200
+++ phpBB2.0.22/viewforum.php 2006-12-19 18:29:16.000000000 +0100
@@ -42,6 +42,7 @@
}
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
+$start = ($start < 0) ? 0 : $start;
if ( isset($HTTP_GET_VARS['mark']) || isset($HTTP_POST_VARS['mark']) )
{
diff -Nur phpBB2.0.21/viewtopic.php phpBB2.0.22/viewtopic.php
--- phpBB2.0.21/viewtopic.php 2006-06-09 16:29:43.000000000 +0200
+++ phpBB2.0.22/viewtopic.php 2006-12-19 18:29:16.000000000 +0100
@@ -46,6 +46,7 @@
$start = ( isset($HTTP_GET_VARS['start']) ) ? intval($HTTP_GET_VARS['start']) : 0;
+$start = ($start < 0) ? 0 : $start;
if (!$topic_id && !$post_id)
{
signature.asc
Description: This is a digitally signed message part
