ADblock rewrite vulnerability

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Suggested Hosts
Post Reply
User avatar
John connor
Registered User
Posts: 2054
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

ADblock rewrite vulnerability

Post by John connor » Sat Apr 20, 2019 12:56 pm


User avatar
EA117
Registered User
Posts: 583
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: ADblock rewrite vulnerability

Post by EA117 » Sat Apr 20, 2019 3:34 pm

I don't know the definitive answer to this question. Aside from all the other described conditions that need to be met, the key item I'm unsure of phpBB inherently having -- or having as part of a common or popular extension -- is some kind of "open redirect." Maybe the "proxy non-HTTPS content over HTTPS" extensions could be providing such a redirect that could be exploited for this purpose?

What seems weirdest to me is the existence of the rewrite= option in the first place. I'm sure it's just because I'm not attuned to the incremental war that is constantly ongoing between ad blockers and ad servers, but the idea that I can "match a request to the local site and replace it with a different request which must also be to the local site" just makes me scratch my head for how that's useful to the purpose of "ad blocking."

Can't find a list of which blocks will be affected by removal/disabling of the rewrite= option, to study or understand how that was employed.

User avatar
tbackoff
Former Team Member
Posts: 7022
Joined: Thu Jun 04, 2009 1:41 am
Location: cheerleading practice
Name: Tabitha Backoff

Re: ADblock rewrite vulnerability

Post by tbackoff » Sat Apr 20, 2019 4:08 pm

John connor wrote:
Sat Apr 20, 2019 12:56 pm
Does this affect a phpBB install?
How exactly would it affect a regular phpBB install. Adblock Plus works off of advertisement domains and as of the latest update, shouldn't be an issue.
"It is our responsibility to protect our users, and despite the actual risk being very low, we have decided to remove the rewrite option and will accordingly release an updated version of Adblock Plus as soon as technically possible.We are doing this as a measure of precaution. There has not been any attempt of abusing the rewrite option and we will do everything we can to ensure this won’t happen."
Flying is the second best thrill to cheerleaders; being caught is the first.

User avatar
EA117
Registered User
Posts: 583
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: ADblock rewrite vulnerability

Post by EA117 » Sat Apr 20, 2019 6:42 pm

tbackoff wrote:
Sat Apr 20, 2019 4:08 pm
How exactly would it affect a regular phpBB install.
For exactly the reasons in the description of the exploit. They demonstrated the exploit on maps.google.com -- without maps.google.com having been a knowing or willing participant -- due to the presence of code and functionality that maps.google.com was already running.

The question is whether the exploit could also be demonstrated against a site running phpBB, because of code and functionality in phpBB that unwittingly satisfies one of the conditions needed to employ this exploit.

User avatar
tbackoff
Former Team Member
Posts: 7022
Joined: Thu Jun 04, 2009 1:41 am
Location: cheerleading practice
Name: Tabitha Backoff

Re: ADblock rewrite vulnerability

Post by tbackoff » Sat Apr 20, 2019 11:23 pm

EA117 wrote:
Sat Apr 20, 2019 6:42 pm
code and functionality in phpBB that unwittingly satisfies one of the conditions needed to employ this exploit.
It's my understanding that all three need to be met for this to work, which is why I asked. ;)
Flying is the second best thrill to cheerleaders; being caught is the first.

User avatar
EA117
Registered User
Posts: 583
Joined: Wed Aug 15, 2018 3:23 am
Contact:

Re: ADblock rewrite vulnerability

Post by EA117 » Sun Apr 21, 2019 9:16 pm

tbackoff wrote:
Sat Apr 20, 2019 11:23 pm
It's my understanding that all three need to be met for this to work, which is why I asked.
Please do feel free to omit the words "one of" from my sentence, and respond to that instead. Although responding even on any one of the individual points would still be productive towards building an answer for the question.

If the restriction implied by "Adblock Plus works off of advertisement domains" was actually true, they would have neither needed nor used maps.google.com to demonstrate the issue.

It's the fact that the Adblock filter applies to all requests -- and therefore the rewrite= directive was able to act against maps.google.com itself to employ the existence of an open redirect -- which enabled how the exploit was possible to occur. Not because of something Adblock was acting on against "an advertisement domain."

So the root question, still, is whether this exploit could also be demonstrated against a site running phpBB. i.e. If instead of maps.google.com the site they wanted to target was running phpBB, what mechanisms of phpBB itself or of popular extensions might allow a successful invocation of the exploit for visitors of that site?

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3160
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: ADblock rewrite vulnerability

Post by thecoalman » Mon Apr 22, 2019 8:41 am

EA117 wrote:
Sun Apr 21, 2019 9:16 pm
So the root question, still, is whether this exploit could also be demonstrated against a site running phpBB. i.e. If instead of maps.google.com the site they wanted to target was running phpBB, what mechanisms of phpBB itself or of popular extensions might allow a successful invocation of the exploit for visitors of that site?
My approach to something like this is instead of focusing on whether it's vulnerable assume it is and how do you protect against it, or can you? The browser extension is changing the request which is completely out of the control of the site owner so you have very limited options. They mention using connect-src in the header but how practical is that on phpBB forum? Any externally loaded JS would need to be listed so it would break all existing BBCodes that utilize a js script like embedding Youtube and any extension like media embed would have to list every one. If you are using adsense?

At the end of the day the way to fix this is to not have an extension on your browser arbitrarily loading JS scripts the site owner never intended to be loaded.

User avatar
John connor
Registered User
Posts: 2054
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: ADblock rewrite vulnerability

Post by John connor » Tue Apr 23, 2019 2:27 am

So just to be sure. This is not an exploit on the server its self, but rather an exploit to the user's browser?

User avatar
AmigoJack
Registered User
Posts: 5569
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: ADblock rewrite vulnerability

Post by AmigoJack » Tue Apr 23, 2019 5:20 am

John connor wrote:
Sat Apr 20, 2019 12:56 pm
Does this affect a phpBB install?
Can't speak for older versions, but 3.0.0 or higher is not affected, as it always includes its path for redirects.
EA117 wrote:
Sat Apr 20, 2019 6:42 pm
They demonstrated the exploit on maps.google.com
No - that's exactly the point: it was not done on maps.google.com, but instead on google.com/maps. Same domain, no different subdomain.
thecoalman wrote:
Mon Apr 22, 2019 8:41 am
At the end of the day the way to fix this is to not have an extension on your browser arbitrarily loading JS scripts the site owner never intended to be loaded.
For you it may be normal to load all kind of scripts (or content in general) from elsewhere - for me it is yet again amazing how often people don't even consider to not trust foreign scripts. Yes, one may say "AdBlock is the problem", but it's similar to saying "no, not AIDS is the problem - the infected people having sex is the problem" - it's true, but there's no solution in there.
John connor wrote:
Tue Apr 23, 2019 2:27 am
This is not an exploit on the server its self, but rather an exploit to the user's browser?
It's a local and remote exploit: the user agent executing the JavaScript is needed, and the software running on the server which performs redirects. So the answer to your question is strictly speaking "no".
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3160
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: ADblock rewrite vulnerability

Post by thecoalman » Tue Apr 23, 2019 10:10 am

AmigoJack wrote:
Tue Apr 23, 2019 5:20 am
For you it may be normal to load all kind of scripts (or content in general) from elsewhere - for me it is yet again amazing how often people don't even consider to not trust foreign scripts. Yes, one may say "AdBlock is the problem", but it's similar to saying "no, not AIDS is the problem - the infected people having sex is the problem" - it's true, but there's no solution in there.
The only thing I allow on my site that is loading external scripts is adsense and the media embed plugin. Adsense is getting the boot because it's pretty much become useless for revenue over the past few years and that is not just me.

In this case Adblock is the problem. Blocking content is one thing, loading content is whole other matter and this would go beyond exploitable content. Not sure if this is workable but something similar might be, suppose they are redirecting to Adsense script on pages I'm not allowed to display those ads?

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3160
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: ADblock rewrite vulnerability

Post by thecoalman » Tue Apr 23, 2019 10:21 am

John connor wrote:
Tue Apr 23, 2019 2:27 am
So just to be sure. This is not an exploit on the server its self, but rather an exploit to the user's browser?
There is lot of things that would have to come together to make this work. You would need Adblock installed and have loaded a ADblock ruleset intended to exploit it. Only sites in the ruleset would be affected.

The site in the ruleset would then need to be loaded by the user. It would also need a local file that had already been uploaded to the server or open redirect. The open redirect is more likely target because a lot of sites use them for various things. For example before the rel=nofollow a lot of sites were using them to control outgoing links to other sites. This is also useful way for you the site owner to track what links are being added by users of your site, who is clicking them, what page, how many times etc.

Post Reply

Return to “phpBB Discussion”