![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: "Florian Hobelsberger / BlueScreen" <genius28@gmx.de>
To: <bugtraq@securityfocus.com>
Subject: [Advisory] phpBB 1.4.4 still suffers from Cross Site Scripting Vulnerability
Date: Wed, 27 Mar 2002 01:08:34 +0100
- ------------------------------------------------------------
itcp advisory 5 advisories@it-checkpoint.net
http://www.it-checkpoint.net/advisory/5.html
March 21th, 2002
- ------------------------------------------------------------
phpBB 1.4.4 still suffers from Cross Site Scripting Vulnerability
- -------------------------
Affected program: phpBB 1.4.4
Vendor: www.phpBB.org
Vulnerability-Class: Cross Site Scripting (CSS)
OS specific: No
Problem-Type: remote
SUMMARY
After a similar bug was discovered in phpBB 1.4.2, the authors fixed the bug
with which JavaScript could inserted by using an [IMG] tag like:
[img]javascript:alert('bla')[/img]
But there is only a check when you post new messages. If you just edit an
existing message, you still can use this bug to insert JavaScript.
DETAILS
There is no check in the edit function of phpBB 1.4.4 wether javascript or
other unwanted code is written within IMG-tags.
IMPACT
Cookies can be stolen.
Hint: At the moment in bugtraq it is discussed what CSS can be used for.
Perhaps you should just visit one of the many Bugtraq-archives to learn
about the dangers of CSS-Vulnerabilities.
EXPLOIT
Create a new topic or answer to an existing one.
Then, after posting your message, click on the "edit button" and enter
anywhere in your posting:
[img]javascript:alert(document.cookie)[/img]
After posting the message, you should see the contents of the cookie
matching to the site you are visiting at the moment.
SOLUTION
Update to newer versions (phpBB2 seems not to be vulnerable) or just
implement a routine which checks if at the beginning of [IMG]-tags stands a
"http://".
ADDITIONAL INFORMATION
Vendor has not been contacted since newer Versions (at least phpBB2) seems
not to be vulnerable.
Bug discovered and published by tSR / Sascha Möke and BlueScreen / Florian
Hobelsberger from www.IT-Checkpoint.net
-----------------------
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
-------------------------------------------------------
BlueScreen / Florian Hobelsberger (UIN: 101782087)
BlueScreen@IT-Checkpoint.net
Member of:
http://www.IT-Checkpoint.net
http://www.Hackeinsteiger.de
Bugreplace Technologies - We work for your Security
http://www.bugreplace.de
Sales Bureau Munich