phpBB2 Cross Site Scripting Vulnerability -------------------------------------------- Affected Program: phpBB2 version 2.0.0 (possibly earlier versions too, but not tested) Vendor: http://www.phpbb.com Vendor Status: informed on 24/04/2002, fixed issued on 20/05/2002 Discovery Date: 24/04/2002 Release Date: 26/05/2002 Vulnerability Class: Cross Site Scripting Severity -------- Malicious users can steal other user's and admin's cookies, allowing them to impersonate other users on the board and access to the administration panel. Problem ------- The problem is very similar to SQL injection. phpBB2 uses a user provided string (through the [IMG] tag) in the following HTML tag: <img src="$user_provided" border="0" /> While there is a check to force the string to begin with "http://" it doesn't disallow ". That means a malicious user can escape the src="" in the HTML tag and insert his own html code. This same problem also exists in the remote avatar part of the user profile. Example ------- Enter the following anywhere in a message: [img]http://a.a/a"onerror="javascript:alert(document.cookie)[/img] When reading that message it should popup an alert box with your cookies. Solutions --------- * Upgrade to 2.0.1 -- XiM (#icerealm on irc.icerealm.net)
This archive was generated by hypermail 2b30 : Mon May 27 2002 - 14:11:06 PDT