lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 21 Apr 2004 09:10:55 +0800
From: Xin LI <delphij@...ntfree.net>
To: 3APA3A <3APA3A@...URITY.NNOV.RU>
Cc: Ready Response <wang@...-x.co.uk>, bugtraq@...urityfocus.com
Subject: Re: phpBB 2.0.8a and lower - IP spoofing vulnerability

On Tue, Apr 20, 2004 at 04:15:48PM +0400, 3APA3A wrote:
> --Monday, April 19, 2004, 4:01:29 AM, you wrote to bugtraq@...urityfocus.com:
> 
> RR> the  users IP address in the common.php script. This issue is caused
> RR> by blind trust of the X-Forwarded-For HTTP header. A remote attacker
> 
> This  issue  is very common for different BBs (for example Iconboard has
> same problem), in addition to IP spoofing it's usually possible to cause
> crossite  scripting  by  inserting  script  into forgery X-Forwarded-For
> header.
> 
> -- 

The situation turns out to be more serious because phpBB (up to and
including 2.0.8a) is affected by another potential resource exhaustion
attack, by exploiting the limitation on the sessions table.

I have a preliminary patch as followed. It was sent to security@...bb.com
a month ago and I received no response from them (also, the description
of the vulnerablity, of course):

Index: includes/sessions.php
===================================================================
RCS file: /cvsroot/phpbb/phpBB2/includes/Attic/sessions.php,v
retrieving revision 1.58.2.10
diff -u -r1.58.2.10 sessions.php
--- includes/sessions.php	5 Apr 2003 12:04:33 -0000	1.58.2.10
+++ includes/sessions.php	17 Apr 2004 07:48:20 -0000
@@ -147,7 +147,7 @@
 		$sql = "INSERT INTO " . SESSIONS_TABLE . "
 			(session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in)
 			VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login)";
-		if ( !$db->sql_query($sql) )
+		if ( $user_id != ANONYMOUS && !$db->sql_query($sql) )
 		{
 			message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
 		}
@@ -380,4 +380,4 @@
 	return $url;
 }
 
-?>
\ No newline at end of file
+?>

The concept here is simple. We do not really need to store sessions for
anonymous users.

Remote attackers can attack a forum without Wang's patch by exploiting
this vulnerablity and result in a Denial of Service attack by fooling
the forum to store many anonymous 'visitors' in sessions table.

This vulnerablity does not affect the development version of phpBB.

-- 
Xin LI <delphij frontfree net>	http://www.delphij.net/
See complete headers for GPG key and other information.


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ