[Advisory] phpBB 1.4.4 still suffers from Cross Site Scripting Vulnerability

From: Florian Hobelsberger / BlueScreen (genius28at_private)
Date: Tue Mar 26 2002 - 16:08:34 PST

Next message: Florian Weimer: "Re: DebPloit (exploit)"

Previous message: Rob Koliha: "Re: RCA cable modem Deny of Service"
Next in thread: altomo: "Re:[Advisory] phpBB 1.4.4 still suffers from Cross Site Scripting Vulnerability"
Reply: altomo: "Re:[Advisory] phpBB 1.4.4 still suffers from Cross Site Scripting Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

- ------------------------------------------------------------
itcp advisory 5 advisories@it-checkpoint.net
http://www.it-checkpoint.net/advisory/5.html
March  21th, 2002
- ------------------------------------------------------------



phpBB 1.4.4 still suffers from Cross Site Scripting Vulnerability
- -------------------------

Affected program: phpBB 1.4.4
Vendor: www.phpBB.org
Vulnerability-Class: Cross Site Scripting (CSS)
OS specific: No
Problem-Type: remote




SUMMARY

After a similar bug was discovered in phpBB 1.4.2, the authors fixed the bug
with which JavaScript could inserted by using an [IMG] tag like:

[img]javascript:alert('bla')[/img]

But there is only a check when you post new messages. If you just edit an
existing message, you still can use this bug to insert JavaScript.


DETAILS

There is no check in the edit function of phpBB 1.4.4 wether javascript or
other unwanted code is written within IMG-tags.


IMPACT

Cookies can be stolen.
Hint: At the moment in bugtraq it is discussed what CSS can be used for.
Perhaps you should just visit one of the many Bugtraq-archives to learn
about the dangers of CSS-Vulnerabilities.


EXPLOIT

Create a new topic or answer to an existing one.
Then, after posting your message, click on the "edit button" and enter
anywhere in your posting:

[img]javascript:alert(document.cookie)[/img]

After posting the message, you should see the contents of the cookie
matching to the site you are visiting at the moment.


SOLUTION

Update to newer versions (phpBB2 seems not to be vulnerable) or just
implement a routine which checks if at the beginning of [IMG]-tags stands a
"http://".


ADDITIONAL INFORMATION
Vendor has not been contacted since newer Versions (at least phpBB2) seems
not to be vulnerable.


Bug discovered and published by tSR / Sascha Möke and BlueScreen / Florian
Hobelsberger from www.IT-Checkpoint.net


-----------------------
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.


-------------------------------------------------------
BlueScreen / Florian Hobelsberger (UIN: 101782087)
BlueScreen@IT-Checkpoint.net

Member of:
http://www.IT-Checkpoint.net
http://www.Hackeinsteiger.de

Bugreplace Technologies - We work for your Security
http://www.bugreplace.de
Sales Bureau Munich

Next message: Florian Weimer: "Re: DebPloit (exploit)"
Previous message: Rob Koliha: "Re: RCA cable modem Deny of Service"
Next in thread: altomo: "Re:[Advisory] phpBB 1.4.4 still suffers from Cross Site Scripting Vulnerability"
Reply: altomo: "Re:[Advisory] phpBB 1.4.4 still suffers from Cross Site Scripting Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Mar 27 2002 - 14:24:35 PST