SecurityTracker.com Archives - phpBB2 Input Validation Flaw Lets Remote Users Insert Scripting Code into Certain HTML Tags to Conduct Cross-Site Scripting Attacks

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Forum/Board/Portal) > phpBB

Vendors: phpBB Group

phpBB2 Input Validation Flaw Lets Remote Users Insert Scripting Code into Certain HTML Tags to Conduct Cross-Site Scripting Attacks

SecurityTracker Alert ID: 1005713

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Nov 26 2002

Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network

Exploit Included: Yes Vendor Confirmed: Yes

Version(s): 2.0.3

Description: An input validation vulnerability was reported in the phpBB2 forum software. A remote user can conduct cross-site scripting attacks against phpBB2 users when the server is configured

Sec-Tec Ltd reported that if phpBB2 is configured to allow the use of certain html tags for text formatting, a remote user can insert the following type of text into a user post:

This piece of text could be
dangerous if you were to move your mouse over it!
This piece of text could be dangerous
if you were to click it!
This piece of text could be dangerous if you
were to click it!

This will cause a target user's browser to execute arbitrary scripting code when the target user places their mouse over the affected text. The code will originate from the site running phpBB2 and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running phpBB2, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution: No solution was available at the time of this entry.

The vendor reportedly suggests that you disable the ability to post messages containing HTML and require users to use BBCode instead.

Vendor URL: www.phpbb.com/ (Links to External Site)

Cause: Input validation error

Underlying OS: Linux (Any), UNIX (Any), Windows (Any)

Reported By: "Pete Foster" <pete@sec-tec.demon.co.uk>

Message History: None.

Source Message Contents

Date: Mon, 25 Nov 2002 08:51:57 -0000
From: "Pete Foster" <pete@sec-tec.demon.co.uk>
Subject: [Sec-Tec Advisory] Local scripting vulnerability in phpBB

 

Application: phpBB2
Vendor     : http://www.phpbb.com
Problem    : Insufficient filtering of user input
Usability  : Easy
Severity   : Medium
Report by  : Pete Foster, Sec-Tec Ltd (http://www.sec-tec.com)

The Product (From vendors site):
phpBB is a high powered, fully scalable, and highly customisable open-source
bulletin board package. phpBB has a user-friendly interface, simple and
straightforward administration panel, and helpful FAQ. Based on the powerful
PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or
Access/ODBC database servers, phpBB is the ideal free community solution for
all web sites.

Details:
There exists a problem with the filtering of content from user posts.  It is
possible to configure phpBB2 to allow the use of certain html tags for text
formatting.  These tags can contain further script code that can be executed
on the client side.  Such scripts could be used to steal cookie information
amongst other things.

Proof of Concept:
Post a message to any of the forums in a phpBB2 bulletin board containing
the following text.

<b onMouseOver="alert(document.location);">This piece of text could be
dangerous if you were to move your mouse over it!</b>
<i onClick="alert(document.location);">This piece of text could be dangerous
if you were to click it!</i>
<u onClick="alert('Hello');">This piece of text could be dangerous if you
were to click it!</u>

Suggested fix:
Disable the ability to post messages containing html and force users to use
BBCode instead.

Tested on:
phpBB2 2.0.3
Apache 1.3.23
php 4.1.2
mySQL 11.16
RedHat Linux 7.3

Vendors response:
+ The solution is as stated ... disable HTML, BBCode should be more than
+ adaquate for many users needs (don't forget additional controls exist in
+ the form of Mods).

+ Will look @ backporting phpBB 2.2 code to this but
+ the parsers are quite different thus it may not be possible.


Pete Foster
Senior Consultant - Sec-Tec Ltd
www.sec-tec.co.uk

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us | Help
Copyright 2002, SecurityGlobal.net LLC