Attachment #41495 for bug #64939

View | Details | Raw Unified | Return to bug 64939 | Differences between
Collapse All | Expand All




--- privmsg.php	2004-03-18 19:51:32.000000000 +0000
+++ privmsg.1.php	2004-03-26 19:51:07.000000000 +0000
@@ -212,7 +212,17 @@
 			break;
 		case 'savebox':
 			$l_box_name = $lang['Savebox'];
-			$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
+			
+			//
+			// For some obscure reason, the assignment 
+			// concatenation operator was coded below, which 
+			// allowed an attacker to append arbitrary SQL code
+			// to the end of the $pm_sql_user variable.
+			// This is fixed below.
+			//
+			// -shaun2k2
+			//
+			$pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
 					AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " ) 
 				OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "
 					AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " )

Return to bug 64939

Removed Link Here

(-)files/patch-privmsg.php (-21 lines)
1	--- privmsg.php 2004-03-18 19:51:32.000000000 +0000
2	+++ privmsg.1.php 2004-03-26 19:51:07.000000000 +0000
3	@@ -212,7 +212,17 @@
4	break;
5	case 'savebox':
6	$l_box_name = $lang['Savebox'];
7	- $pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
8	+
9	+ //
10	+ // For some obscure reason, the assignment
11	+ // concatenation operator was coded below, which
12	+ // allowed an attacker to append arbitrary SQL code
13	+ // to the end of the $pm_sql_user variable.
14	+ // This is fixed below.
15	+ //
16	+ // -shaun2k2
17	+ //
18	+ $pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
19	AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " )
20	OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "
21	AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " )