Application: phpBB2 Vendor : http://www.phpbb.com Problem : Insufficient filtering of user input Usability : Easy Severity : Medium Report by : Pete Foster, Sec-Tec Ltd (http://www.sec-tec.com) The Product (From vendors site): phpBB is a high powered, fully scalable, and highly customisable open-source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites. Details: There exists a problem with the filtering of content from user posts. It is possible to configure phpBB2 to allow the use of certain html tags for text formatting. These tags can contain further script code that can be executed on the client side. Such scripts could be used to steal cookie information amongst other things. Proof of Concept: Post a message to any of the forums in a phpBB2 bulletin board containing the following text. <b onMouseOver="alert(document.location);">This piece of text could be dangerous if you were to move your mouse over it!</b> <i onClick="alert(document.location);">This piece of text could be dangerous if you were to click it!</i> <u onClick="alert('Hello');">This piece of text could be dangerous if you were to click it!</u> Suggested fix: Disable the ability to post messages containing html and force users to use BBCode instead. Tested on: phpBB2 2.0.3 Apache 1.3.23 php 4.1.2 mySQL 11.16 RedHat Linux 7.3 Vendors response: + The solution is as stated ... disable HTML, BBCode should be more than + adaquate for many users needs (don't forget additional controls exist in + the form of Mods). + Will look @ backporting phpBB 2.2 code to this but + the parsers are quite different thus it may not be possible. Pete Foster Senior Consultant - Sec-Tec Ltd www.sec-tec.co.uk
