phpBB • Free and Open Source Forum Software

X_FORWARDED_FOR is not filtered through htmlspecialchars here:

Code: Select all: $this->browser= (!empty($_SERVER['HTTP_USER_AGENT'])) ? htmlspecialchars((string) $_SERVER['HTTP_USER_AGENT']) : ''; $this->forwarded_for=(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) ? (string) $_SERVER['HTTP_X_FORWARDED_FOR'] : '';

So, it will be possible to use this vulnerability, if some mod use these lines and x_forwarded_for here.

Taken from PhpBB 3 Vulnerability and Forscripts.Net On-Line Test 1/2008

Thanks, we are aware of the article.

Forwarded for is matched against the IP regexp if used; a MOD doing any less would be vulnerable.
We will add a htmlspeciachars call, but I don't see a pressing issue.

~H

I am moving this to the bug tracker - it is not a security issue within our product. To protect against those mod-authors not knowing what they do we will change the call.

Oh, and thanks for submitting this to the security tracker first (better moving a report than being sorry)

Not at all.

It will be very good, if it is the first and the last security submitting))

//But I didn't see any x_forwarded_for regchecks, as you wrote...

That would be line 174 of session.php.

Code: Select all: if (!empty($ip) && !preg_match(get_preg_expression('ipv4'), $ip) && !preg_match(get_preg_expression('ipv6'), $ip))

In fact, the MOD team has denied at least one MOD which used HTTP_X_FORWARDED_FOR straight from $_SERVER.

	What:	Where:	Country:
vacatures php arbeit php jobs php lavoro php emploi php trabajo php jobs php arbeit php

X_FORWARDED_FOR is not filtered (fix completed in vcs)

Comments / History

Ticket details

Related SVN changesets

Advertisements