Possible phpBB <=2.0.11 bug or sql injection?

2005-02-18T00:00:00
ID SECURITYVULNS:DOC:7862
Type securityvulns
Reporter Securityvulns
Modified 2005-02-18T00:00:00

Description

Since phpbb's website says not to post it on their forum, I guess I'll post my findings here.

http://www.phpbb.com/phpBB/search.php?search_author=\\'fnfnfffffa,'\\*\cdf

or

http://www.phpbb.com/phpBB/search.php?search_author=\\\\\\\\\*\

It seems it has something to do with the the \'s *'s and length. I am not sure if this is a big bug but I decided to try that after looking at search.php


    $search_author = str_replace('*', '%', trim($search_author));

                            $sql = "SELECT user_id
                                    FROM " . USERS_TABLE . "
                                    WHERE username LIKE '" . str_replace("\'", "''", $search_author) .

"'"; if ( !($result = $db->sql_query($sql)) ) { message_die(GENERAL_ERROR, "Couldn't obtain list of matching users (searching for: $search_author)", "", LINE, FILE, $sql); }


Not sure if this is anything, but it seems to be running in the sql and erroring.

Thanks for your time, jtm