|
|
|
|
phpBB 'usercp_register.php' Error Lets Remote Users Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1013362 |
|
SecurityTracker URL: http://securitytracker.com/id/1013362
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 3 2005
|
Impact:
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 2.0.13 and prior versions
|
Description:
A vulnerability was reported in phpBB in the 'usercp_register.php' script. A remote user can conduct cross-site scripting attacks.
A remote user can submit a specially crafted signature via a private message that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the phpBB software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The remote user can submit input to 'usercp_register.php' with a variable named 'allowhtml', 'allowbbcode', or 'allowsmilies' to trigger this vulnerability.
Paisterist from [N]eo [S]ecurity [T]eam discovered this vulnerability.
|
Impact:
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the phpBB software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.phpbb.com/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Subject: Advisory #08 - phpBB 2.0.13 Bad filtered in usercp_register.php
|
/*
--------------------------------------------------------
--------------------------------------------------------
Program: phpBB 2.0.13
Homepage: http://www.phpbb.com
Vulnerable Versions: phpBB 2.0.13 & Lower versions
Risk: Low Risk
Impact: bbcode, smilies, and html not bad filtered en usercp_register.php
phpBB 2.0.13 Bad filtered in usercp_register.php
---------------------------------------------------------
- Description
---------------------------------------------------------
phpBB is an Open Source project that is developed of a big comunnity of programmers. It has suport for a lot of databases, like Oracle,
MSSQL, MySql, PostGres, etc, and is one of the more useds precompilateds packages.
- Tested
---------------------------------------------------------
I tested this bug in localhost and other forums
- Explotation
---------------------------------------------------------
The bad code is in the usercp_register.php file. The next part of the code is the vulnerable:
$allowhtml = ( isset($HTTP_POST_VARS['allowhtml']) ) ? ( ($HTTP_POST_VARS['allowhtml']) ? TRUE : 0 ) : $board_config['allow_html'];
$allowbbcode = ( isset($HTTP_POST_VARS['allowbbcode']) ) ? ( ($HTTP_POST_VARS['allowbbcode']) ? TRUE : 0 ) : $board_config['allow_bbcode'];
$allowsmilies = ( isset($HTTP_POST_VARS['allowsmilies']) ) ? ( ($HTTP_POST_VARS['allowsmilies']) ? TRUE : 0 ) : $board_config['allow_smilies'];
If we specify a variable in the html code (any type: hidden, text, radio, check, etc) with the name allowhtml, allowbbcode or
allowsmilies, is going to be on the html, bbcode and smilies in our signature. But this only works for private messages.
In the topics our signature is going to be filtered, but no in the private messages.
- Exploit
---------------------------------------------------------
1 - Copy the html code of the registration page of the vulnerable forum.
2 - Change the form action to the path of the forum and profile.php. Example: http://phpbb.com/phpBB2/profile.php
3 - Add the variable for to enable the bbode, htmlcode or smilies (if they're not) in your private messages. Example:
4 - With your html registration page (modified) you have to register any user with some html code in the signature for test
this bug.
- Solutions
--------------------------------------------------------
At this date there is not any update, but we can change the code of the file usercp_register.php
Vulnerable:
$allowhtml = ( isset($HTTP_POST_VARS['allowhtml']) ) ? ( ($HTTP_POST_VARS['allowhtml']) ? TRUE : 0 ) : $board_config['allow_html'];
$allowbbcode = ( isset($HTTP_POST_VARS['allowbbcode']) ) ? ( ($HTTP_POST_VARS['allowbbcode']) ? TRUE : 0 ) : $board_config['allow_bbcode'];
$allowsmilies = ( isset($HTTP_POST_VARS['allowsmilies']) ) ? ( ($HTTP_POST_VARS['allowsmilies']) ? TRUE : 0 ) : $board_config['allow_smilies'];
Fixed:
$allowhtml = ( $board_config['allowhtml']) ) ? TRUE : 0;
$allowbbcode = ( $board_config['allowbbcode']) ) ? TRUE : 0;
$allowsmilies = ( $board_config['allowsmilies']) ) ? TRUE : 0;
- References
--------------------------------------------------------
http://neosecurityteam.tk/index.php?pagina=advisories&id=8
- Credits
-------------------------------------------------
Discovered by Paisterist
Any Question? paisterist.nst[at]gmail[dot]com
Irc.InfoGroup.cl #neosecurityteam
- Greetz
--------------------------------------------------------
Hackzatan
T0wn3r
Crashcool
Daemon21
Merlin
Maxx
Arcanhell
@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/
|
|
Go to the Top of This SecurityTracker Archive Page
|
