Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[Sec-Tec Advisory] Local scripting vulnerability in phpBB

From: "Pete Foster" <pete () sec-tec demon co uk>
Date: Mon, 25 Nov 2002 08:51:57 -0000
Application: phpBB2
Vendor     : http://www.phpbb.com
Problem    : Insufficient filtering of user input
Usability  : Easy
Severity   : Medium
Report by  : Pete Foster, Sec-Tec Ltd (http://www.sec-tec.com)

The Product (From vendors site):
phpBB is a high powered, fully scalable, and highly customisable open-source
bulletin board package. phpBB has a user-friendly interface, simple and
straightforward administration panel, and helpful FAQ. Based on the powerful
PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or
Access/ODBC database servers, phpBB is the ideal free community solution for
all web sites.

Details:
There exists a problem with the filtering of content from user posts.  It is
possible to configure phpBB2 to allow the use of certain html tags for text
formatting.  These tags can contain further script code that can be executed
on the client side.  Such scripts could be used to steal cookie information
amongst other things.

Proof of Concept:
Post a message to any of the forums in a phpBB2 bulletin board containing
the following text.

<b onMouseOver="alert(document.location);">This piece of text could be
dangerous if you were to move your mouse over it!</b>
<i onClick="alert(document.location);">This piece of text could be dangerous
if you were to click it!</i>
<u onClick="alert('Hello');">This piece of text could be dangerous if you
were to click it!</u>

Suggested fix:
Disable the ability to post messages containing html and force users to use
BBCode instead.

Tested on:
phpBB2 2.0.3
Apache 1.3.23
php 4.1.2
mySQL 11.16
RedHat Linux 7.3

Vendors response:
+ The solution is as stated ... disable HTML, BBCode should be more than
+ adaquate for many users needs (don't forget additional controls exist in
+ the form of Mods).

+ Will look @ backporting phpBB 2.2 code to this but
+ the parsers are quite different thus it may not be possible.


Pete Foster
Senior Consultant - Sec-Tec Ltd
www.sec-tec.co.uk
Previous By Date Next
Previous By Thread Next

Current thread: