phpGB: cross site scripting bug

From: ppp-design (security@ppp-design.de)
Date: Mon Sep 09 2002 - 00:24:05 PDT

Next message: Daniel Ahlberg: "GLSA: glibc"

Previous message: Jouko Pynnonen: "Vulnerabilities in Microsoft's Java implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ppp-design found the following cross-site-scripting-bug in phpGB:


Details
- -------
Product: phpGB
Affected Version: 1.10 and maybe all versions before
Immune Version: 1.20
OS affected: all OS with php
Vendor-URL: http://www.walzl.net
Vendor-Status: informed, new version avaiable
Security-Risk: high
Remote-Exploit: Yes


Introduction
- ------------
phpGB ist a php/mysql based guestbook. Unfortunately no input is been
filtered for malicious code segments. That leads to the possibility of
 a cross-site-scripting attack.


More details
- ------------
A possible blackhat is able to insert eg. javascript code into the
guestbook entry. When an admin tries to delete this entry the script
will be executed. So the attacke is able to eg. get the session id and
 enter the admin area without being authenticated.


Proof-of-concept
- ----------------
Enter the following guestbookentry:

"delete me <script>alert(document.cookie)</script>"

When an admin tries to delete this entry, a popup showing his session
id will come up. Of course it is quite easy to submit this session id
to blackhat's server instead of showing this popup.


Temporary-fix
- -------------
Filter all inputs for unwanted code segments like html or javascript code.


Fix
- ---
phpGB 1.2 filters all inputs.


Security-Risk
- -------------
Because after a successfull attack an attacker is able to do anything
an admin can do, the whole guestbook shall be deemed to be
compromised. That is why we are rating the risk to high.


Vendor status
- -------------
The author had fixed this bug allready, when we informed him.


Disclaimer
- ----------
All information that can be found in this advisory is believed to be
true, but maybe it isn't. ppp-design can not be held responsible for
the use or missuse of this information. Redistribution of this text is
only permitted if the text has not been altered and the original
author ppp-design (http://www.ppp-design.de) is mentioned.


This advisory can be found online:
http://www.ppp-design.de/advisories.php


- --
ppp-design
http://www.ppp-design.de
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22  745D 0D78 7B60 B3B5 451A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE9fEyVDXh7YLO1RRoRAnEgAJ4kwbAytd4g8i38ngNTQ0DE19XULACg5DfR
j/Mes4I6IxqkiDrf2CYpEQY=
=eTCl
-----END PGP SIGNATURE-----

Next message: Daniel Ahlberg: "GLSA: glibc"
Previous message: Jouko Pynnonen: "Vulnerabilities in Microsoft's Java implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 08:55:35 PDT