phpbb-auction.com Forum Index phpbb-auction.com
Download, Support, Documentation
  		Donate to phpbb-auction.com to support the project


phpbb-Auction
  Home
   - News
   - Bug report/Patches
   - Future Features
  Demo
  Downloads
   - Version 1.3m  (Core /Lang /Mods)
   - Version 1.2m  (Core /Lang /Mods)
   - Version 1.0m  (Core /Lang /Mods)
   - All
  Services
  Documentation
   - Features
   - Documents
   - How-Tos
   - About
  Support
   - English
   - German
  Development
   - Changlog
   - Requests
   - Team
   - CVS
  Community
   - Website of the Month
   - Websites
   - Community Forum
   - Member

Navigation
FAQFAQ
SearchSearch
UsergroupsUsergroups
RegisterRegister
ProfileProfile
Log in to check your private messagesLog in to check your private messages
Log inLog in

Forum
Changing start time auctions
Sun Feb 07, 2010 4:33 am FR
Easy: what code to use to update sql table?
Fri Oct 16, 2009 8:39 am guyb
Unlimited products(downloads)
Wed Oct 14, 2009 7:09 pm hoimyr
Seller chooses currency
Sun Oct 11, 2009 8:00 pm hoimyr
Cant select end date without getting error
Sun Oct 11, 2009 6:43 pm hoimyr

About
Author: FR
Credits:
Brookfresh, Brad Lawryk, Crogon, DaMysterious, EklipzeDesigns, ML, musashi, phpBB Group, phpBB-Auction-Team, php-styles, sanman, Tel, Vampy, wGEric

Supported Sites





Statistics
User: 18518
Posts: 18401
Latest User: edwardtf3

[B1.2m-21a] -SQL Injection

 
Post new topic   Reply to topic    phpbb-auction.com Forum Index -> Older Version Bug report Patches
View previous topic :: View next topic  
Author Message
snkenjoi
Small-Cap Auctioneer
Small-Cap Auctioneer


Joined: 18 Apr 2005
Posts: 1
PostPosted: Thu Apr 21, 2005 12:22 pm    Post subject: [B1.2m-21a] -SQL Injection Reply with quote
sNKenjoi's Security Advisory: [ZH2005-12SA] SQL Injection & Full Path Disclosure in phpBB Auction


Security Advisory: SQL Injection & Full Path Disclosure in phpBB Auction
Severity: High
Title: SQL Injection & Full Path Disclosure in phpBB Auction

Versions

phpBB: Any Version
Auction Mod: Version 1.2m (and below)

Vendor: phpBB-Auction
Vendor Website: http://www.phpbb-auction.com/

Proof of Concept Exploits:

SQL Injection (Full Path Disclosure also works sometimes)
http://localhost/auction_rating.php?mode=view&u='
http://localhost/auction_offer.php?mode=add&ar='
Full Path Disclosure
http://localhost/auction_myauctions.php?mode=f00b4r

(For some you will have to be logged in)

snkenjoi.com & zone-h.org
snkenjoi@gmail.com
Back to top
View user's profile Send private message
FR
Site Admin
Site Admin


Joined: 26 Jan 2004
Posts: 1764
Location: root directory
PostPosted: Thu Apr 21, 2005 5:15 pm    Post subject: Reply with quote
Please try the following

OPEN auction_rating.php

FIND
Code:
                    // Get username
                    $sql = "SELECT username
                            FROM " . USERS_TABLE . "
                            WHERE user_id = " . $HTTP_GET_VARS[POST_USERS_URL];

REPLACE WITH
Code:
                    $user_id = ( isset($HTTP_GET_VARS[POST_USERS_URL]) );
                    $user_id = htmlspecialchars($user_id);

                    // Get username
                    $sql = "SELECT username
                            FROM " . USERS_TABLE . "
                            WHERE user_id = " . $user_id;

FIND
Code:
                            WHERE ur.FK_auction_offer_buyer_id = " . $HTTP_GET_VARS[POST_USERS_URL] . " AND

REPLACE WITH
Code:
                            WHERE ur.FK_auction_offer_buyer_id = " . $user_id . " AND

FIND
Code:
                             WHERE ur.FK_auction_offer_seller_id = " . $HTTP_GET_VARS[POST_USERS_URL] . " AND

REPLACE WITH
Code:
                             WHERE ur.FK_auction_offer_seller_id = " . $user_id . " AND

FIND
Code:
                     if ( $userdata['user_id'] == $HTTP_GET_VARS[POST_USERS_URL] )

REPLACE WITH
Code:
                     if ( $userdata['user_id'] == $user_id )

_________________
Want to say thank you. Use my Amazon Wishlist
Meet the world on movie-on.com

Last edited by FR on Thu Apr 21, 2005 5:28 pm; edited 2 times in total
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
FR
Site Admin
Site Admin


Joined: 26 Jan 2004
Posts: 1764
Location: root directory
PostPosted: Thu Apr 21, 2005 5:20 pm    Post subject: Reply with quote
OPEN auction_offer

FIND
Code:
                 // check if user is logged in
                 if ($userdata['user_id']<0)
                    {
                           redirect("login.".$phpEx."?redirect=auction_offer.".$phpEx."?mode=add&" . POST_AUCTION_ROOM_URL . "=" . $HTTP_GET_VARS[POST_AUCTION_ROOM_URL]);
                           exit;
                    }


Replace with
Code:
                 $room_id = ( isset($HTTP_GET_VARS[POST_AUCTION_ROOM_URL]) );
                 $room_id = htmlspecialchars($room_id);
                   
                 // check if user is logged in
                 if ($userdata['user_id']<0)
                    {
                           redirect("login.".$phpEx."?redirect=auction_offer.".$phpEx."?mode=add&" . POST_AUCTION_ROOM_URL . "=" . $room_id);
                           exit;
                    }


FIND
Code:
                    if ($row['PK_auction_room_id'] == $HTTP_GET_VARS[POST_AUCTION_ROOM_URL])


REPLACE WITH
Code:
                    if ($row['PK_auction_room_id'] == $room_id)


FIND
Code:
                       'S_AUCTION_ADD_OFFER_ACTION' => append_sid("auction_offer.$phpEx?mode=create&" . POST_AUCTION_ROOM_URL . "=" . $HTTP_GET_VARS[POST_AUCTION_ROOM_URL])));


REPLACE WITH
Code:
                       'S_AUCTION_ADD_OFFER_ACTION' => append_sid("auction_offer.$phpEx?mode=create&" . POST_AUCTION_ROOM_URL . "=" . $room_id)));

_________________
Want to say thank you. Use my Amazon Wishlist
Meet the world on movie-on.com
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
FR
Site Admin
Site Admin


Joined: 26 Jan 2004
Posts: 1764
Location: root directory
PostPosted: Thu Apr 21, 2005 5:26 pm    Post subject: Reply with quote
Open auction_my_auctions.php

FIND
Code:

                  $sql = "SELECT auction_watchlist_time
                          FROM " . AUCTION_WATCHLIST_TABLE . "
                          WHERE FK_auction_offer_id=". $HTTP_GET_VARS[POST_AUCTION_OFFER_URL] . " AND
                          FK_auction_user_id=" . $userdata['user_id'] . "";


REPLACE WITH
Code:
                    $offer_id = ( isset($HTTP_GET_VARS[POST_AUCTION_OFFER_URL]) );
                    $offer_id = htmlspecialchars($offer_id);
                   
                  $sql = "SELECT auction_watchlist_time
                          FROM " . AUCTION_WATCHLIST_TABLE . "
                          WHERE FK_auction_offer_id=". $offer_id . " AND
                          FK_auction_user_id=" . $userdata['user_id'] . "";


FIND
Code:
                            $message = $lang['auction_watchlist_already_in'] . "<br /><br />" . sprintf($lang['Click_return_offer'], "<a href=\"" . append_sid("auction_offer_view.$phpEx?ao=" . $HTTP_GET_VARS[POST_AUCTION_OFFER_URL]) . "\">", "</a>") . "<br /><br />" . sprintf($lang['Click_return_auction_index'], "<a href=\"" . append_sid("auction.$phpEx") . "\">", "</a>");


REPLACE WITH
Code:
                            $message = $lang['auction_watchlist_already_in'] . "<br /><br />" . sprintf($lang['Click_return_offer'], "<a href=\"" . append_sid("auction_offer_view.$phpEx?ao=" . $offer_id) . "\">", "</a>") . "<br /><br />" . sprintf($lang['Click_return_auction_index'], "<a href=\"" . append_sid("auction.$phpEx") . "\">", "</a>");


FIND
Code:
                          VALUES (". $HTTP_GET_VARS[POST_AUCTION_OFFER_URL] . ",


REPLACE WITH
Code:
                          VALUES (". $offer_id . ",


FIND
Code:
                  $message = $lang['auction_watchlist_added_successful'] . "<br /><br />" . sprintf($lang['Click_return_offer'], "<a href=\"" . append_sid("auction_offer_view.$phpEx?ao=" . $HTTP_GET_VARS[POST_AUCTION_OFFER_URL]) . "\">", "</a>") . "<br /><br />" . sprintf($lang['Click_return_auction_index'], "<a href=\"" . append_sid("auction.$phpEx") . "\">", "</a>");


REPLACE WITH
Code:
                  $message = $lang['auction_watchlist_added_successful'] . "<br /><br />" . sprintf($lang['Click_return_offer'], "<a href=\"" . append_sid("auction_offer_view.$phpEx?ao=" . $offer_id) . "\">", "</a>") . "<br /><br />" . sprintf($lang['Click_return_auction_index'], "<a href=\"" . append_sid("auction.$phpEx") . "\">", "</a>");


FIND
Code:
                  $sql = "DELETE FROM " . AUCTION_WATCHLIST_TABLE . "
                          WHERE FK_auction_offer_id=". $HTTP_GET_VARS[POST_AUCTION_OFFER_URL] . " AND  FK_auction_user_id=" . $userdata['user_id'] . "";


REPLACE WITH
Code:
                  $offer_id = ( isset(HTTP_GET_VARS[POST_AUCTION_OFFER_URL]) );
                  $offer_id = htmlspecialchars($offer_id);
                   
                  $sql = "DELETE FROM " . AUCTION_WATCHLIST_TABLE . "
                          WHERE FK_auction_offer_id=". $offer_id . " AND  FK_auction_user_id=" . $userdata['user_id'] . "";

_________________
Want to say thank you. Use my Amazon Wishlist
Meet the world on movie-on.com
Back to top
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    phpbb-auction.com Forum Index -> Older Version Bug report Patches All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


phpbb-auction.com - Developed by www.digital-media-lab.com
Sponsored by: www.globibo.com - www.learn2go.de - www.talentone.org - www.language-school.in - www.ping-ke.cn