lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201107251221.p6PCLOcD017612@sf01web2.securityfocus.com>
Date: Mon, 25 Jul 2011 12:21:24 GMT
From: spamgoeshere@...venroddis.com
To: bugtraq@...urityfocus.com
Subject: phpBB AJAX Chat/Shoutbox MOD CSRF Vulnerability

View here: https://www.stevenroddis.com/phpbb-ajax-chatshoutbox-mod-csrf-vulnerability/

Title: phpBB AJAX Chat/Shoutbox MOD CSRF Vulnerability
Release Date: 2011-04-30
Product Affected: http://startrekaccess.com/community/viewtopic.php?f=127&t=8675
Responsible Disclosure:

After repeated attempts to get the vendor to fix this flaw, he has told me to "Please stop taking up my time with something this trivial." I have provided a risk assessment, sources on CSRF including OWASP and my implementation on how to fix it.

If after a reasonable attempt to make the vendor realise it is a vulnerability, the vendor refuses to acknowledge the flaw, the vulnerability will be publicly published.

First vendor contact was made on 2011-04-24 and continued till the 29th where he cut contact.
Discription:

All actions taken on chat.php are not protected against CSRF, this includes add and delete chat messages.
Solution:

This solution carries no warranty or guarantees, that said it works with the version I have.

In config.php
$secretKey = 'CHANGE THIS TO SOMETHING SECURE';

in shout.php
116: 'CHAT_MAC'      => hash_hmac('ripemd160', $user->data['user_id'], $secretKey)

in chat.php
49:
$chatMAC = request_var('mac', '');

56:
if($mode AND $chatMAC != hash_hmac('ripemd160', $user->data['user_id'], $secretKey)) //action taken
{
die('Hacking attempt! (CSRF)');
}

257:  'CHAT_MAC'      => hash_hmac('ripemd160', $user->data['user_id'], $secretKey)

in templates:
after param = 'mode=' + mode;
Add param += '&mac=' + '{CHAT_MAC}';

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ