Re: New phpBB ViewTopic.php Cross Site Scripting Vulnerability

"t4c [Founder of GHCIF]" <t4c@ghcif.de> · Mon, 01 Mar 2004 23:35:30 +0000

An inofficial fix to this Issue has been released by ghcif.de
PHPBB 2.0.6c XSS Flaw in viewtopic.php

Open and Backup viewtopic.php

Find:

if ( !empty($HTTP_POST_VARS['postorder']) || 
!empty($HTTP_GET_VARS['postorder']${

        $post_order = (!empty($HTTP_POST_VARS['postorder'])) ? 
$HTTP_POST_VARS[$

        $post_time_order = ($post_order == "asc") ? "ASC" : "DESC";

}

else

{

        $post_order = 'asc';

        $post_time_order = 'ASC';

}

Replace with:

//

// Decide how to order the post display

//

if ( !empty($HTTP_POST_VARS['postorder']) || 
!empty($HTTP_GET_VARS['postorder']${

        $post_order = (!empty($HTTP_POST_VARS['postorder'])) ? 
$HTTP_POST_VARS[$

        // Exploit Fix

        $post_order = htmlspecialchars($post_order);

        $post_time_order = ($post_order == "asc") ? "ASC" : "DESC";

}

else

{

        $post_order = 'asc';

        // Exploit Fix

        $post_order = htmlspecialchars($post_order);

        $post_time_order = 'ASC';

}

by Milan 't4c' Berger

Cheng Peng Su wrote:

################################################

Advisory Name:New phpBB ViewTopic.php Cross Site Scripting Vulnerability

Release Date: Feb 29,2004 
Application: phpBB 
Platform: PHP

Version Affected: the lastest version

Vendor URL: http://www.phpbb.com/

Discover: Cheng Peng Su(apple_soup_at_msn.com)

################################################

Details:
    This vuln is similar to Arab VieruZ's advisory 'XSS bug in phpBB',this time the problem is not in 'highlight' ,but in 'postorder'.we can inject HTML code,such code could be used to steal cookie information.

Proof of Concept:

     If there is a topic at 
  http://site/phpBB/viewtopic.php?t=123456

  this page can be also viewed at

  http://site/phpBB/viewtopic.php?t=123456&postorder=asc

  then this page will contain code like below:

  <a class="maintitle" href="viewtopic.php?t=176994&amp;start=0&amp;postdays=0&amp;postorder=asc&amp;highlight=">[Topic Title]</a>.

  phpBB doesn't filter out illegal characters from 'postorder',so we can inject HTML code after 'postorder='.

Exploit:
  URL: http://site/phpBB/viewtopic.php?t=123456&postorder=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C

  note unescape('=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C') == '">&lt;script&gt;alert(document.cookie)&lt;/script&gt;<'

Contact:
Cheng Peng Su
apple_soup_at_msn.com
Class 1,Senior 2,High school attached to Wuhan University
Wuhan,Hubei,China

--
Milan 't4c' Berger
Network & Security Administrator
21073 Hamburg

gpg: http://www.ghcif.de/keys/t4c.asc