- ------------------------------------------------------------ itcp advisory 5 advisories@it-checkpoint.net http://www.it-checkpoint.net/advisory/5.html March 21th, 2002 - ------------------------------------------------------------ phpBB 1.4.4 still suffers from Cross Site Scripting Vulnerability - ------------------------- Affected program: phpBB 1.4.4 Vendor: www.phpBB.org Vulnerability-Class: Cross Site Scripting (CSS) OS specific: No Problem-Type: remote SUMMARY After a similar bug was discovered in phpBB 1.4.2, the authors fixed the bug with which JavaScript could inserted by using an [IMG] tag like: [img]javascript:alert('bla')[/img] But there is only a check when you post new messages. If you just edit an existing message, you still can use this bug to insert JavaScript. DETAILS There is no check in the edit function of phpBB 1.4.4 wether javascript or other unwanted code is written within IMG-tags. IMPACT Cookies can be stolen. Hint: At the moment in bugtraq it is discussed what CSS can be used for. Perhaps you should just visit one of the many Bugtraq-archives to learn about the dangers of CSS-Vulnerabilities. EXPLOIT Create a new topic or answer to an existing one. Then, after posting your message, click on the "edit button" and enter anywhere in your posting: [img]javascript:alert(document.cookie)[/img] After posting the message, you should see the contents of the cookie matching to the site you are visiting at the moment. SOLUTION Update to newer versions (phpBB2 seems not to be vulnerable) or just implement a routine which checks if at the beginning of [IMG]-tags stands a "http://";. ADDITIONAL INFORMATION Vendor has not been contacted since newer Versions (at least phpBB2) seems not to be vulnerable. Bug discovered and published by tSR / Sascha Möke and BlueScreen / Florian Hobelsberger from www.IT-Checkpoint.net ----------------------- DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ------------------------------------------------------- BlueScreen / Florian Hobelsberger (UIN: 101782087) BlueScreen@IT-Checkpoint.net Member of: http://www.IT-Checkpoint.net http://www.Hackeinsteiger.de Bugreplace Technologies - We work for your Security http://www.bugreplace.de Sales Bureau Munich
