[34705] in bugtraq
Re: phpBB 2.0.8a and lower - IP spoofing vulnerability
daemon@ATHENA.MIT.EDU (Xin LI)
Thu Apr 29 14:18:09 2004
Date: Thu, 29 Apr 2004 10:16:34 +0800
From: Xin LI <delphij@frontfree.net>
To: BlueRaven <blue@ravenconsulting.it>
Cc: bugtraq@securityfocus.com
Message-ID: <20040429021634.GA379@frontfree.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="OgqxwSJOaUobr8KG"
Content-Disposition: inline
In-Reply-To: <20040428090326.GA4886@mythdrannor.my.lan>
--OgqxwSJOaUobr8KG
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Wed, Apr 28, 2004 at 11:03:26AM +0200, BlueRaven wrote:
> On Wed, Apr 21, 2004 at 09:10:55AM +0800, Xin LI wrote:
>=20
> Hi Xin, I think there's an error in your patch:
>=20
> > - if ( !$db->sql_query($sql) )
> > + if ( $user_id !=3D ANONYMOUS && !$db->sql_query($sql) )
>=20
> This does NOT prevent execution of the query, only effects output of the
> message:
>=20
> > {
> > message_die(CRITICAL_ERROR, 'Error creating new session', '', __LIN=
E__, __FILE__, $sql);
> > }
>=20
> I think it should read as follows:
>=20
> if ( $user_id !=3D ANONYMOUS ) {
> if ( !$db->sql_query($sql) {
> message_die(CRITICAL_ERROR, 'Error creating new sessio=
n', '', __LINE__, __FILE__, $sql);
> }
> }
>=20
> I'm not great PHP programmer, though, so please correct me if I'm wrong.
Well... I don't think so. When a expression evulates to false before a
&& operator, the rest of things which are after && should be "short-
circuit" instead of being evaluated. This is default behavior in most
programming languages, and I believe that this is the behavior of PHP,
too.
Let me proof my assumption with the following code:
----------snip-------------
<?
$i =3D false;
function f()
{
echo "f() called";
return 1;
}
echo "before f()<br />";
f();
echo "<br />after f()";
echo "<br />";
if( ($i) && (f() > 0)) {
// do nothing
}
echo "end";
?>
----------snip-------------
And I get the following output:
----------snip-------------
before f()
f() called
after f()
end
----------snip-------------
As you can see, f() is called only once by explicitly calling it.
The second call, because $i =3D=3D false, is short-circuited and not
evaluated.
I have runned the patch on one of servers I maintains for some
months and it has been proven that the anonymous session denial
of service problem has been addressed (at least worked around).
To complain phpBB.com developing team:
Not sure why phpBB.com did not respond to my submission after I
privately submit this to them nearly two months ago and this
BugTraq post. They respond me nothing - no admissions, no
rejections, I am re-thinking about whether to handle phpBB problems
I found... Submitting to security@phpbb.com as they desired seems
to be inefficient. Maybe they don't consider the session resource
exhaustion as a problem, but they did not replyed me, I don't
think that's a good practise.
Cheers,
--=20
Xin LI <delphij frontfree net> http://www.delphij.net/
See complete headers for GPG key and other information.
--OgqxwSJOaUobr8KG
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFAkGWCOfuToMruuMARApwdAJ9ePCXMyNtKB7l+2GXRrFF3Bj9q5gCePB5E
NcFLr8I2D3jGx4KDRn0r7N8=
=DI9w
-----END PGP SIGNATURE-----
--OgqxwSJOaUobr8KG--
