[UNIX] phpBB Cross Site Scripting Vulnerability
From: support@securiteam.comDate: 05/28/02
- Previous message: support@securiteam.com: "[NT] TransSoft's Broker FTP Server DoS (CWD)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Tue, 28 May 2002 08:27:11 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
phpBB Cross Site Scripting Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.phpbb.com/> phpBB is a high powered, fully scalable, and
highly customizable forums package. phpBB has a user-friendly interface,
simply and straightforward administration panel, and helpful FAQ. A
security vulnerability in the product allows remote attackers to insert
malicious HTML and JavaScript into existing web pages, causing a
cross-site scripting vulnerability.
DETAILS
Vulnerable systems:
* phpBB2 version 2.0.0
Immune systems:
* phpBB2 version 2.0.1
phpBB uses a user provided string (through the [IMG] tag) in the following
HTML tag:
<img src="$user_provided" border="0" />
While there is a check to force the string to begin with "http://" it
doesn't disallow the symbol: ". This means that a malicious user can
escape the src="" in the HTML tag and insert his own HTML code. This same
problem also exists in the remote avatar part of the user profile.
Example:
Enter the following anywhere in a message:
[img]http://a.a/a"onerror="javascript:alert(document.cookie)[/img]
After that, anyone reading the message should see a popup with his cookie.
Severity:
Malicious users can steal other users' and the administrator's cookies.
This would allow the attacker to impersonate other users on the board and
access to the administration panel.
Solution:
Upgrade to the latest version of phpBB2 (version 2.0.1).
ADDITIONAL INFORMATION
The information has been provided by <mailto:xim@xs4all.nl> Martijn
Boerwinkel.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] TransSoft's Broker FTP Server DoS (CWD)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
