lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 3 Mar 2005 05:53:39 -0000
From: Paisterist <paisterist.nst@...il.com>
To: bugtraq@...urityfocus.com
Subject: Advisory #08 - phpBB 2.0.13 Bad filtered in usercp_register.php




/*
--------------------------------------------------------
[N]eo [S]ecurity [T]eam [NST]® - Advisory #08 - 29/02/05
--------------------------------------------------------
Program: phpBB 2.0.13
Homepage: http://www.phpbb.com
Vulnerable Versions: phpBB 2.0.13 & Lower versions
Risk: Low Risk
Impact: bbcode, smilies, and html not bad filtered en usercp_register.php

phpBB 2.0.13 Bad filtered in usercp_register.php
---------------------------------------------------------

- Description
---------------------------------------------------------
phpBB is an Open Source project that is developed of a big comunnity of programmers. It has suport for a lot of databases, like Oracle, MSSQL, MySql, PostGres, etc, and is one of the more useds precompilateds packages.

- Tested
---------------------------------------------------------
I tested this bug in localhost and other forums

- Explotation
---------------------------------------------------------
The bad code is in the usercp_register.php file. The next part of the code is the vulnerable:

$allowhtml = ( isset($HTTP_POST_VARS['allowhtml']) ) ? ( ($HTTP_POST_VARS['allowhtml']) ? TRUE : 0 ) : $board_config['allow_html'];
$allowbbcode = ( isset($HTTP_POST_VARS['allowbbcode']) ) ? ( ($HTTP_POST_VARS['allowbbcode']) ? TRUE : 0 ) : $board_config['allow_bbcode'];
$allowsmilies = ( isset($HTTP_POST_VARS['allowsmilies']) ) ? ( ($HTTP_POST_VARS['allowsmilies']) ? TRUE : 0 ) : $board_config['allow_smilies'];

If we specify a variable in the html code (any type: hidden, text, radio, check, etc) with the name allowhtml, allowbbcode or
allowsmilies, is going to be on the html, bbcode and smilies in our signature. But this only works for private messages.

In the topics our signature is going to be filtered, but no in the private messages.

- Exploit
---------------------------------------------------------
1 - Copy the html code of the registration page of the vulnerable forum.

2 - Change the form action to the path of the forum and profile.php. Example: http://phpbb.com/phpBB2/profile.php

3 - Add the variable for to enable the bbode, htmlcode or smilies (if they're not) in your private messages. Example:





4 - With your html registration page (modified) you have to register any user with some html code in the signature for test
this bug.

- Solutions
--------------------------------------------------------
At this date there is not any update, but we can change the code of the file usercp_register.php

Vulnerable:

$allowhtml = ( isset($HTTP_POST_VARS['allowhtml']) ) ? ( ($HTTP_POST_VARS['allowhtml']) ? TRUE : 0 ) : $board_config['allow_html'];
$allowbbcode = ( isset($HTTP_POST_VARS['allowbbcode']) ) ? ( ($HTTP_POST_VARS['allowbbcode']) ? TRUE : 0 ) : $board_config['allow_bbcode'];
$allowsmilies = ( isset($HTTP_POST_VARS['allowsmilies']) ) ? ( ($HTTP_POST_VARS['allowsmilies']) ? TRUE : 0 ) : $board_config['allow_smilies'];

Fixed:

$allowhtml = ( $board_config['allowhtml']) ) ? TRUE : 0;
$allowbbcode = ( $board_config['allowbbcode']) ) ? TRUE : 0;
$allowsmilies = ( $board_config['allowsmilies']) ) ? TRUE : 0;



- References
--------------------------------------------------------
http://neosecurityteam.tk/index.php?pagina=advisories&id=8


- Credits
-------------------------------------------------
Discovered by Paisterist

[N]eo [S]ecurity [T]eam [NST]® - http://neosecurityteam.tk/

Any Question? paisterist.nst[at]gmail[dot]com

Irc.InfoGroup.cl #neosecurityteam

- Greetz
--------------------------------------------------------
Hackzatan
T0wn3r
Crashcool
Daemon21
Merlin
Maxx
Arcanhell

@@@@'''@@@@'@@@@@@@@@'@@@@@@@@@@@
'@@@@@''@@'@@@''''''''@@''@@@''@@
'@@'@@@@@@''@@@@@@@@@'''''@@@
'@@'''@@@@'''''''''@@@''''@@@
@@@@''''@@'@@@@@@@@@@''''@@@@@
*/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ