phpBB: CSS injection via BB code tag "█████"

The input to the “█████” BBcode tag is not properly filtered. It gets converted into a CSS style attribute for a span HTML element.

Quotes (") are removed, so there’s no way to break out of the CSS style attributed. However it is possible to arbitrarily dress the resulting span element.

To illustrate this here’s an example:

███████

This will place a skull on the top of the page (by using position:fixed). I’ll attach a screenshot as well.

The power of CSS pretty much allows arbitrary placement of elements across the page. This may also be used in UI redressing attacks.

Impact

Attacker can arbitrarily redress page via forum posts.