SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   phpBB Vendors:   phpBB Group
phpBB Image Tag Filtering Hole Lets Remote Users Conduct Cross-Site Scripting Attacks Against phpBB Users
SecurityTracker Alert ID:  1004422
SecurityTracker URL:  http://securitytracker.com/id/1004422
CVE Reference:   CVE-2002-0902   (Links to External Site)
Updated:  Dec 16 2004
Original Entry Date:  May 31 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 2.0.0
Description:   A vulnerability was reported in the phpBB forum software. A remote user can conduct cross-site scripting attacks against phpBB users to steal their cookies and gain access to their phpBB accounts.

It is reported that phpBB allows a remote user to create a message that includes scripting code inserted in the [IMG] tag. For example, a remote user can insert the following text into a message:

[img]http://a.a/a"onerror="javascript:alert(document.cookie)[/img]

When the target (victim) user reads the message, the scripting code will be executed by the target user's browser. The code will run in the security context of the site running phpBB. If the code was malicious, it could obtain the target user's cookies associated with that site. This would allow a remote user to grab the target user's authentication cookies and then login to the phpBB forum as the target user.

This same vulnerability reportedly exists in the remote avatar part of the user profile.

Impact:   A remote user could cause arbitrary scripting code to be executed by the target (victim) user's browser to steal the target user's phpBB forum authentication cookies. With the authentication cookies, the remote user can then login to the phpBB forum as the target user.
Solution:   The vendor has released a fixed version (2.0.1), available at:

http://www.phpbb.com/downloads.php

Vendor URL:  www.phpbb.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Dec 16 2004 (Additional Exploit Details) phpBB Image Tag Filtering Hole Lets Remote Users Conduct Cross-Site Scripting Attacks Against phpBB Users
Details about an exploit variant are provided.



 Source Message Contents

Subject:  Cross Site Scripting Vulnerability in phpBB2's [IMG] tag and remote


--=-Vbg93Fq0f/lA4OnJQ9/6
Content-Type: text/plain
Content-Transfer-Encoding: 8bit            

phpBB2 Cross Site Scripting Vulnerability 
-------------------------------------------- 

Affected Program: phpBB2 version 2.0.0 
  (possibly earlier versions too, but not tested) 
Vendor: http://www.phpbb.com 
Vendor Status: informed on 24/04/2002, fixed issued on 20/05/2002 
Discovery Date: 24/04/2002 
Release Date: 26/05/2002 
Vulnerability Class: Cross Site Scripting 


Severity 
-------- 
Malicious users can steal other user's and admin's cookies, allowing
them to impersonate other users on the board and access to the
administration panel. 


Problem 
------- 
The problem is very similar to SQL injection. 
phpBB2 uses a user provided string (through the [IMG] tag) 
in the following HTML tag: 

<img src="$user_provided" border="0" /> 

While there is a check to force the string to begin with "http://" it
doesn't disallow ". That means a malicious user can escape the src="" in
the HTML tag and insert his own html code. 
This same problem also exists in the remote avatar part of the user
profile. 


Example 
------- 
Enter the following anywhere in a message: 

[img]http://a.a/a"onerror="javascript:alert(document.cookie)[/img] 

When reading that message it should popup an alert box with your
cookies. 


Solutions 
--------- 
* Upgrade to 2.0.1 

-- 
XiM 
(#icerealm on irc.icerealm.net) 


--=-Vbg93Fq0f/lA4OnJQ9/6
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA88QZlO42RehcRrwoRAuLFAKDnxTbepyJTPCb2GQyP7jA9koK7WwCdGw1Q
Buz3ukUl+BaHem7vDAkTG60=
=jUDa
-----END PGP SIGNATURE-----

--=-Vbg93Fq0f/lA4OnJQ9/6--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC