- Plug another SQL injection vulnerability

Exploit posted at:	http://www.securityfocus.com/archive/1/358708
Patch obtained from:	http://www.securityfocus.com/archive/1/358751

PR:		ports/64803
Submitted by:	Kang Liu <liukang@bjpu.edu.cn> (maintainer)

2 files changed, 23 insertions, 0 deletions

diff --git a/www/phpbb/Makefile b/www/phpbb/Makefile
index 264d427..6c3ae58 100644
--- a/www/phpbb/Makefile
+++ b/www/phpbb/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	phpbb
 PORTVERSION=	2.0.8
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	${PORTNAME}
@@ -60,6 +61,7 @@ pre-everything::
 post-patch:
 	@ ${REINPLACE_CMD} -e "s#\.\./templates#/${PHPBBURL}/templates#" \
 	  ${WRKSRC}/docs/*.html
+	@ ${RM} ${WRKSRC}/*.orig
 
 post-configure:
 	@ ${SED} \
diff --git a/www/phpbb/files/patch-privmsg.php b/www/phpbb/files/patch-privmsg.php
new file mode 100644
index 0000000..ae3bd89
--- /dev/null
+++ b/www/phpbb/files/patch-privmsg.php
@@ -0,0 +1,21 @@
+--- privmsg.php	2004-03-18 19:51:32.000000000 +0000
++++ privmsg.1.php	2004-03-26 19:51:07.000000000 +0000
+@@ -212,7 +212,17 @@
+ 			break;
+ 		case 'savebox':
+ 			$l_box_name = $lang['Savebox'];
+-			$pm_sql_user .= "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
++			
++			//
++			// For some obscure reason, the assignment 
++			// concatenation operator was coded below, which 
++			// allowed an attacker to append arbitrary SQL code
++			// to the end of the $pm_sql_user variable.
++			// This is fixed below.
++			//
++			// -shaun2k2
++			//
++			$pm_sql_user = "AND ( ( pm.privmsgs_to_userid = " . $userdata['user_id'] . "
+ 					AND pm.privmsgs_type = " . PRIVMSGS_SAVED_IN_MAIL . " ) 
+ 				OR ( pm.privmsgs_from_userid = " . $userdata['user_id'] . "
+ 					AND pm.privmsgs_type = " . PRIVMSGS_SAVED_OUT_MAIL . " )