Vulnerability in BBCode - serious

Read me first before posting anywhere!
Subscribe to the feed, available in Image Atom or Image RSS format.
Suggested Hosts
Post Reply
User avatar
psoTFX
Former Team Member
Posts: 7425
Joined: Tue Jul 03, 2001 8:50 pm

Vulnerability in BBCode - serious

Post by psoTFX »

We've been notified about a vulnerability in phpBB 2.0.6 (which also affects 2.0.5). The fix is noted below but please note the text that follows it.

UPDATE: All packages have been updated to reflect this patch.

A change was made to the way bbcode url matching is achieved around phpBB 2.0.4. This was done following complaints that our existing methods, as used in earlier releases of phpBB were too restrictive. Unfortunately the match went from too restrictive to too loose. This allows people to "break out" of the anchor href and insert arbitary markup, particularly event handling parameters. This can result in anything from "nuisance" posts to people exploiting cross-site issues to grab cookie data.

Therefore this exploit is deemed serious ... we advise all our users to deploy the following fix as soon as possible. Updated 2.0.6 packages will be available shortly for new users.

You will need to use any text editor, all operating systems come with some kind of suitable application, e.g. notepad/wordpad on Windows, ed/pico/vi/emacs on Linux/UNIX/*BSD, etc.

Using your text editor open the file: includes/bbcode.php (the extension may of course differ if you've changed it).

Find the following section of code (use your editors search facility or simply scroll through the file):

Code: Select all

$bbcode_tpl['url4'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']); 
   $bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\\5', $bbcode_tpl['url4']);
Replace all of the above with:

Code: Select all

$bbcode_tpl['url4'] = str_replace('{URL}', 'http://\\1', $bbcode_tpl['url']); 
   $bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\\3', $bbcode_tpl['url4']);
Find:

Code: Select all

// matches a [url]xxxx://www.phpbb.com[/url] code.. 
   $patterns[] = "#\[url\]([\w]+?://.*?[^ \"\n\r\t<]*?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url1']; 

   // [url]www.phpbb.com[/url] code.. (no xxxx:// prefix). 
   $patterns[] = "#\[url\]((www|ftp)\.([\w\-]+\.)*?[\w\-]+\.[a-z]{2,4}(:?[0-9]*?/[^ \"\n\r\t<]*)?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url2']; 

   // [url=xxxx://www.phpbb.com]phpBB[/url] code.. 
   $patterns[] = "#\[url=([\w]+?://.*?[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url3']; 

   // [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix). 
   $patterns[] = "#\[url=((www|ftp)\.([\w\-]+\.)*?[\w\-]+\.[a-z]{2,4}(:?[0-9]*?/[^ \"\n\r\t<]*)?)\](.*?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url4'];
Replace above with:

Code: Select all

// matches a [url]xxxx://www.phpbb.com[/url] code.. 
   $patterns[] = "#\[url\]([\w]+?://[^ \"\n\r\t<]*?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url1']; 

   // [url]www.phpbb.com[/url] code.. (no xxxx:// prefix). 
   $patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url2']; 

   // [url=xxxx://www.phpbb.com]phpBB[/url] code.. 
   $patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url3']; 

   // [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix). 
   $patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is"; 
   $replacements[] = $bbcode_tpl['url4']; 
Find:

Code: Select all

// matches an "xxxx://yyyy" URL at the start of a line, or after a space. 
   // xxxx can only be alpha characters. 
   // yyyy is anything up to the first space, newline, comma, double quote or < 
   $ret = preg_replace("#(^|[\n ])([\w]+?://.*?[^ \"\n\r\t<]*)#is", "\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $ret); 

   // matches a "www|ftp.xxxx.yyyy[/zzzz]" kinda lazy URL thing 
   // Must contain at least 2 dots. xxxx contains either alphanum, or "-" 
   // zzzz is optional.. will contain everything up to the first space, newline, 
   // comma, double quote or <. 
   $ret = preg_replace("#(^|[\n ])((www|ftp)\.[\w\-]+\.[\w\-.\~]+(?:/[^ \"\t\n\r<]*)?)#is", "\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $ret); 
Replace above with:

Code: Select all

//matches an "xxxx://yyyy" URL at the start of a line, or after a space. 
   // xxxx can only be alpha characters. 
   // yyyy is anything up to the first space, newline, comma, double quote or < 
   $ret = preg_replace("#(^|[\n ])([\w]+?://[^ \"\n\r\t<]*)#is", "\\1<a href=\"\\2\" target=\"_blank\">\\2</a>", $ret); 

   // matches a "www|ftp.xxxx.yyyy[/zzzz]" kinda lazy URL thing 
   // Must contain at least 2 dots. xxxx contains either alphanum, or "-" 
   // zzzz is optional.. will contain everything up to the first space, newline, 
   // comma, double quote or <. 
   $ret = preg_replace("#(^|[\n ])((www|ftp)\.[^ \"\t\n\r<]*)#is", "\\1<a href=\"http://\\2\" target=\"_blank\">\\2</a>", $ret);
Now save the file and if appropriate upload it replacing the existing includes/bbcode.php.

This appears to fix the issue ... if you find this is not the case please notify us privately with full details of how it fails, your version of PHP and if appropriate a version that works.

Time for a fairly major rant ...

Again information on this was posted to bugtraq, this time it seems as we were notified. We received notification of this issue at 1.20AM (BST) on the 8th. Soon after a potential fix was noted internally ... following some tests to make sure nothing obvious was overlooked we intended to repackage 2.0.6 and announce the patch today.

Before loads of people chirp in with "Well how much damage do you think would've occured if he'd not posted to bugtraq!" ... the answer is I heavily suspect, zero to very very little. Let's get "serious" for a moment shall we. Most damage done to these sorts of applications (boards, portals, etc.) appears to be done by so called "script kiddies", people who follow security mailing lists and relevant underground sites looking for vulnerabilities discovered by others. If they have no access to this information the amount of damage they can do is severely curtailed. How can I say this? Because that's been my experience dealing with issues such as the annoying robotic registration application, other xss issues, etc.

Before loads of people say "Ah, but people can fix it if they know about it" ... good for them, if that were 100% correct, but it's not. At least once before now a published "fix" did no such thing. So any admins applying said "fix" still had a vulnerable board. And what about all those people who don't subscribe to the relevant lists? Is it a case of "stuff them"? I guess so ... double standards it would seem.

Not long ago Apache Group had a similar problem to those we've experienced. That is, someone posting a vulnerability to a list before notifying them ... and worse, including a fix that wasn't. That received lots of publicity and led to suggestions of a responsible system of notification and distribution of information. As opposed to outdated methods such as bugtraq et al ... and worse, the "security sites" which simply compete with each other to report the most vulnerabilities. Remember, the internet now is quite different to even that of six years ago ... gone are the days of nicey nicey admins all helping each other. It's been replaced with people who are quite happy to do harm without a second thought. It's time for a change in the way these things are handled ... and I urge all those who can and who agree to voice this in all practical ways.

Now, let me reiterate our position on reporting vulnerabilities. We ask that people provide us with details of any vulnerabilities and give us reasonable time to respond, email should be sent to security at phpbb.com. If you've not heard anything from us (please use a reachable email address) within 48 hours please email again (email is not infalable). If you hear nothing within 12-18 hours please contact any developer or group member (or even team member) here @ phpbb.com via private message with a suitable subject. If you still hear nothing within a day feel free to post the information on this board. Remember that people here are spread over the world and thus response times may vary depending on your location (and time of year).

To help save our sanity and time please we beg you(!) do not email security at phpbb.com concerning support issues, bugs or other released matters. That address exists purely to report vulnerabilities ... vulnerabilities include anything that can lead to loss of or exposure of data. Vulnerabilities are not "I've got an error on my board, can you help?!", "Other people can see my config.php!", "Are you interested in ...", etc.

We do appologise for this issue cropping up ... we do our best to limit such issues but unfortunately we're not perfect.

Thanks
Post Reply

Return to “Announcements”