SecurityFocus reveals viewprofile hack

This is an archive of the phpBB 2.0.x support forum. Support for phpBB2 has now ended.
Forum rules
Following phpBB2's EoL, this forum is now archived for reference purposes only.
Please see the following announcement for more information: viewtopic.php?f=14&t=1385785
Locked
groundmotion
Registered User
Posts: 2
Joined: Fri Apr 29, 2005 9:31 am
Location: Sweden

SecurityFocus reveals viewprofile hack

Post by groundmotion »

http://www.securityfocus.com/archive/1/396744
SecurityFocus wrote: - Explotation
---------------------------------------------------------
-==Bad Filter of HTML Code==-
phpBB2/profile.php?mode=viewprofile&u=\[]phpBB2/viewtopic.php?p=3&highlight=\[]#########################################################
-==XSS==-
POST /admin/admin_forums.php?sid=7bd54a5a9861ef180af78897e70 HTTP/1.1
forumname=<script>alert('NST')</script>&forumdesc=<script>alert('NST')</script>&c=1&forumstatus=0&prune_days=7&prune_freq=1&mode=createforum&f=&submit=Create
new
forum

Some people cannot find it interest someones yes but well i dont care because if you
put some effort you know that
you can do a lot with this, like fooling the Admin of the Hosting to get his cookie
& and then get access to whm...


http://www.securityfocus.com/bid/13344/exploit/
SecurityFocus wrote: phpBB is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.

No exploit is required.

The following proof of concept URI is available:
http://www.example.com/phpBB2/profile.p ... profile&u=\[]\


Versions up to - and including - 2.0.14 seem to be vulnerable. Me and my colleague at work just tried it out and we got a big chunk of code and some database entries as a result... feels like something very close to the highlight bug - maybe you already know about this, otherwise please look into it as soon as possible.

Cheers!
- Janne
Bobble
Registered User
Posts: 3504
Joined: Thu Mar 24, 2005 12:51 pm

Post by Bobble »

*ahem*
phpBB Support
Get help with installation and running phpBB 2.0.x here. Please do not post bug reports, feature requests or MOD-related questions here.


You can be sure that they know about this and a patch will be released when ready.
groundmotion
Registered User
Posts: 2
Joined: Fri Apr 29, 2005 9:31 am
Location: Sweden

Post by groundmotion »

Oops, sorry, too quick on the trigger.

Wasn't sure if this was a bug report or of general interest, but I can see your point.
I will look more into the forum structure in the future. :idea: ;)

EDIT: Had a look around now and I'm still not sure where bug reports go.
Only that they are not wanted in any of the PHPBB forums... Image
AnthraX101
Security Consultant
Posts: 497
Joined: Sun Nov 14, 2004 8:05 pm
Contact:

Post by AnthraX101 »

This is not a cross site scripting vulnerability, it is misclassified on SF. It is really a path exposure vulnerability. The phpBB team has previously stated that these are not critical enough to warrant a patch.

The XSS vulnerability is separate, and exists within the admin functions. (Note that I have not confirmed this flaw, only heard of it)

AnthraX101
Graham
Former Team Member
Posts: 8462
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK
Contact:

Post by Graham »

AnthraX101 wrote: This is not a cross site scripting vulnerability, it is misclassified on SF. It is really a path exposure vulnerability. The phpBB team has previously stated that these are not critical enough to warrant a patch.


Indeed, someone over there needs to remember that a bug - which that admittedly is - does not mean that there is automatically a vulnerability. There do seem to be some people who automatically scream about security over relativel minor bugs. It is certainly something that is likely to be addressed in the next release, but on it's own it's not anything that would justify a new release.
The XSS vulnerability is separate, and exists within the admin functions. (Note that I have not confirmed this flaw, only heard of it)

Personally, I'd question whether that is even an issue. Forum descriptions have always allowed HTML right from the first 2.0.x versions and the only way to alter the description is via POST - it can't be done via GET so it's pretty difficult to spoof someone into doing it (which is what the reporter seems to suggest).

I'd also like to make the point that if people think there is a secuity issue they should report it to our security tracker so that it can be looked at and not post it on BugTraq where people start paniccing not understanding the issue.
"So Long, and Thanks for All the Fish"

phpBB Useful Links: Knowledge Base | Userguide | Forum Search | MOD Database | Styles Database
My Links: Blog!
AnthraX101
Security Consultant
Posts: 497
Joined: Sun Nov 14, 2004 8:05 pm
Contact:

Post by AnthraX101 »

Graham wrote: [...]

Indeed, someone over there needs to remember that a bug - which that admittedly is - does not mean that there is automatically a vulnerability. There do seem to be some people who automatically scream about security over relativel minor bugs. It is certainly something that is likely to be addressed in the next release, but on it's own it's not anything that would justify a new release.


Just a note that this is a vulnerability, just not a critical one. Many real SQL injection holes are simply looking for a good DB to attack. With MySQL, it is not possible most of the time to run a "show databases", so that something that reveals a real DB name may lead to a successful attack. This is not going to weaken an already secure system, but may be the falling point for a system which has security flaws already.

AnthraX101
Locked

Return to “2.0.x Support Forum”