Hi,
Here's the relevant patches, isolated from the upstream release.
On Sun, 2007-01-07 at 20:00 +0100, Thijs Kinkhorst wrote:
Hi,
Thank you. I'm aware of the new release, but need to backport the
changes given that we're in a freeze.
CVE-2006-6841:
Certain forms in phpBB before 2.0.22 lack session checks
This is Cross Site Request Forgery.
Indeed counter-CSRF, attached as sid.diff.
CVE-2006-6840:
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
and remote attack vectors related to a negative start parameter.
This does not seem to warrant an update in its own: everything about it
is unkown.
Still unknown how it can be exploited, but diff is attached and seems
quite harmless. Fix just in case? start.diff
CVE-2006-6839:
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
and remote attack vectors related to criteria for 'bad' redirection
targets.
This is very vague again. Summarizing all three I do not see a 'grave'
issue between them, but will see what the patches look like and whether
they're acceptable for etch at this point.
Attached as redir.diff, also seems quite harmless to include.
In #402140:
1) The application allows users to send messages via HTTP requests
without performing any validity checks to verify the request. This can
be exploited to send
messages to arbitrary users by e.g. tricking a target user into
visiting a malicious website.
I'm quite sure that this is a duplicate of the CSRF above.
2) Input passed to the form field Message body in privmsg.php is not
properly sanitised before it is returned to the user when sending
messages to a
non-existent user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected
site.
Attached as privmsg.diff.
I think this is it. Jeroen: opinions on what to upload?
Thijs
diff -Nur phpBB2.0.21/privmsg.php phpBB2.0.22/privmsg.php
--- phpBB2.0.21/privmsg.php 2006-06-09 16:29:43.0 +0200
+++ phpBB2.0.22/privmsg.php 2006-12-19 18:29:16.0 +0100
@@ -1376,7 +1385,7 @@
$privmsg_subject = ( isset($HTTP_POST_VARS['subject']) ) ? trim(htmlspecialchars(stripslashes($HTTP_POST_VARS['subject']))) : '';
$privmsg_message = ( isset($HTTP_POST_VARS['message']) ) ? trim($HTTP_POST_VARS['message']) : '';
- $privmsg_message = preg_replace('#textarea#si', 'lt;textareagt;', $privmsg_message);
+ // $privmsg_message = preg_replace('#textarea#si', 'lt;textareagt;', $privmsg_message);
if ( !$preview )
{
$privmsg_message = stripslashes($privmsg_message);
@@ -1480,7 +1489,7 @@
}
$privmsg_message = str_replace('br /', \n, $privmsg_message);
- $privmsg_message = preg_replace('#/textarea#si', 'lt;/textareagt;', $privmsg_message);
+ // $privmsg_message = preg_replace('#/textarea#si', 'lt;/textareagt;', $privmsg_message);
$user_sig = ( $board_config['allow_sig'] ) ? (($privmsg['privmsgs_type'] == PRIVMSGS_NEW_MAIL) ? $user_sig : $privmsg['user_sig']) : '';
@@ -1523,7 +1532,7 @@
$privmsg_message = preg_replace(/\:(([a-z0-9]:)?)$privmsg_bbcode_uid/si, '', $privmsg_message);
$privmsg_message = str_replace('br /', \n, $privmsg_message);
-$privmsg_message = preg_replace('#/textarea#si', 'lt;/textareagt;', $privmsg_message);
+// $privmsg_message = preg_replace('#/textarea#si', 'lt;/textareagt;', $privmsg_message);
$privmsg_message = preg_replace($orig_word, $replacement_word, $privmsg_message);
$msg_date = create_date($board_config['default_dateformat'], $privmsg['privmsgs_date'], $board_config['board_timezone']);
@@ -1650,6 +1659,7 @@
//
if ($error)
{
+ $privmsg_message = htmlspecialchars($privmsg_message);
$template-set_filenames(array(
'reg_header' = 'error_body.tpl')
);
diff -Nur phpBB2.0.21/includes/functions.php phpBB2.0.22/includes/functions.php
--- phpBB2.0.21/includes/functions.php 2006-06-09 16:29:41.0 +0200
+++ phpBB2.0.22/includes/functions.php 2006-12-19 18:29:15.0 +0100
@@ -917,7 +917,7 @@
$db-sql_close();
}
- if (strstr(urldecode($url), \n) || strstr(urldecode($url), \r))
+ if (strstr(urldecode($url), \n) || strstr(urldecode($url), \r) || strstr(urldecode($url), ';url'))
{
message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
}
diff -Nur phpBB2.0.21/login.php phpBB2.0.22/login.php
--- phpBB2.0.21/login.php 2006-06-09 16:29:42.0 +0200
+++ phpBB2.0.22/login.php 2006-12-19 18:29:16.0 +0100
@@ -123,7 +123,7 @@
$redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('amp;', '', htmlspecialchars($HTTP_POST_VARS['redirect'])) : '';
$redirect = str_replace('?', '', $redirect);
-if (strstr(urldecode($redirect), \n) || strstr(urldecode($redirect), \r))
+if (strstr(urldecode($redirect), \n) || strstr(urldecode($redirect), \r) || strstr(urldecode($redirect), ';url'))
{
message_die(GENERAL_ERROR, 'Tried to redirect to