Re: PunBB BBCode IMG Tag Script Injection Vulnerability

From: Aaron Horst (anthrax101_at_gmail.com)
Date: 08/30/05

  • Next message: bannedit_at_frontiernet.net: "Fetchmail 6.2.5 exploit for Bugtraq ID: 14349" 
    Date: Mon, 29 Aug 2005 21:02:04 -0400
To: bugtraq@securityfocus.com

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    While this can have some drastic implications, this is not actually
    script injection. You are redirecting the browser, no extra code gets
    executed in the context of the PHP processor.

    Any piece of software that allows for linking with offsite image
    files will be vulnerable to this, not simply phpBB or PunBB. The
    browser itself is interpreting the redirect request and sending
    another request for the overall web page. This is effectively
    impossible to filter out on the server side while still allowing
    offsite linking, the only real solution is to prohibit anything that
    is not controlled by the software.

    AnthraX101

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1

    iQA/AwUBQxOv+A4h295M1tC9EQKbhgCeI5lTwRoQSsxYaWzUkXoLIinenmQAmwWi
    gS8fYRhXgneGsmmo/4DMI21F
    =Ng78
    -----END PGP SIGNATURE-----

    On 29 Aug 2005 08:49:29 -0000, y3dips@echo.or.id <y3dips@echo.or.id> wrote:
    > ECHO_ADV_22$2005
    >
    > ---------------------------------------------------------------------------
    > PunBB BBCode IMG Tag Script Injection Vulnerability
    > ---------------------------------------------------------------------------
    >
    > Author: y3dips
    > Date: August, 20th 2005
    > Location: Indonesia, Jakarta
    > Web: http://echo.or.id/adv/adv22-y3dips-2005.txt
    >
    > ---------------------------------------------------------------------------
    >
    > Affected software description:
    > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    >
    > Version: 1.2.6 and most likely below
    > url : http://punbb.org
    > Author: Rickard Andersson
    > Description:
    >
    > PunBB is a fast and lightweight PHP powered discussion board. It is released under the GNU Public License. Its primary goal is to be a faster, smaller and less graphic alternative to otherwise excellent discussion boards such as phpBB, Invision Power Board or vBulletin. PunBB has fewer features than many other discussion boards, but is generally faster and outputs smaller pages.
    >
    > ---------------------------------------------------------------------------
    >
    > Vulnerabilities:
    > ~~~~~~~~~~~~~~~~
    >
    > According to the issue that affect PHPBB discovered by easyex recently at http://www.securityfocus.com/bid/14555/info , so it also affected in another bulletin board or forum that allow BBcode such as PunBB.
    >
    > The issue is due to a failure of the application to properly sanitize user-supplied input in bbcode '[IMG]' tags included in a message or user signature (if allowed , default is off) .
    >
    > Successful exploitation of this vulnerability could permit the injection of arbitrary HTML or script code into the browser of an unsuspecting user in the context of the affected site.
    >
    >
    > Exploit:
    > ~~~~~~~~
    >
    > just post a message that include
    >
    > [img]http://attacker.com/yuckfou.png[/img]
    >
    > yuckfou.png is a folder , and include some "index.php" file
    >
    > ---- index.php ----
    >
    > <?php
    > header("Location: http://target.com/punbb1.2.6/login.php?action=out&id=2"); ?>
    >
    > ---- eof ------
    >
    > so , user with id=2 if open the topics with attacker message include will automatically "logout"
    >
    > maybe some other interesting in command could put in "index.php" with admin priveledged *_^
    >
    >
    > THATS all
    >
    > Fix
    > ~~~
    >
    > Vendor allready contacted but no responses
    >
    > Shoutz:
    >
    > ~~~~~~~
    >
    >
    >
    > ~ m0by, the_day, comex, z3r0byt3, K-159, c-a-s-e, S`to @T echo/staff
    > ~ waraxe , LINUX, Heintz , slimjim100 , lunix, easyex all member of waraxe
    >
    > ~ newbie_hacker@yahoogroups.com ,
    >
    > ~ #e-c-h-o & #aikmel @DALNET
    >
    > Contact:
    > ~~~~~~~~
    >
    > y3dips || echo|staff
    > Homepage: http://y3dips.echo.or.id/
    > 

    -- 
AnthraX101 -- PGP Key ID# 0x4CD6D0BD
Fingerprint:
8161 D008 3DAB 86C1 2CA3  AEDE 0E21 DBDE 4CD6 D0BD
  • Next message: bannedit_at_frontiernet.net: "Fetchmail 6.2.5 exploit for Bugtraq ID: 14349"

    Relevant Pages

    • Have virus I cant get rid of and I need HELP!
      ... current security updates available and resets your ... explorer setting and downloads a bunch of malicious ... registry settings for my browser are fine so I can not ... prd=ie&ar=iesearch" and redirecting my computers ...
      (microsoft.public.windowsxp.security_admin)
    • Browser Errors.. Seems like Hijack but isnt
      ... habit of sending out browser hijacks.. ... I have used adaware, spybot, and hijack this and there is ... browser is redirecting on its own to websites previously ... are, and further, I cannot log into my bank website, which ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Cannot search and cannot download
      ... hijacked, redirecting every address ... web pages, the browser redirects to ... Also, if I follow any download link, to download .exe's ... downloadibng a spyware detection programme. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: Cannot search and cannot download
      ... > hijacked, redirecting every address ... > pages and the default search engine has returned. ... > web pages, the browser redirects to ... > Also, if I follow any download link, to download .exe's ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: Again "headers already sent by ".
      ... > "The reason you are getting this warning is because PHP is trying to ... > send a header (redirecting in this case) to browser, but it cannot, ... > browser open this file it is immediatly redirected to second ... Then the clients browser receives a command to go to page1.php ...
      (comp.lang.php)