bbcode input validation
Severity: High CastleCops: http://castlecops.com/t123194-.html CVE: CAN-2005-1193 phpBB Security ID#: 266 Bugtraq ID#: 13545 Secunia #: 15298 US-CERT VU#: 113196 SecurityTracker #: 1013918
Vulnerable: viewtopic.php, privmsg.php for phpBB 2.0.14 (possible all lower versions too), and other files that rely on bbcode.php
Fix: Upgrade to 2.0.15
It is recommended that these types of URIs not be allowed to render at all in the phpBB system as the possible user computer hijacking can be gargantuan. There is enough hijacking in spyware products (ref: http://castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html ).
*PROOF OF CONCEPT
This POC uses the URL encapsulation:
If you click on the second link, be sure to find and remove the "QQQQQ" entry in your Windows Registry. However, we recommend you do not click expect for developer testing and patching.
The CastleCops suggested patch was integrated into bbcode.php. That suggested patch is within the includes/bbcode.php file, bbencode_second_pass function, after the global line (and a second location):
This particular patch replaces the colon with its decimal equivalent and will bypass hyperlink creation on viewing a topic or a private message. Both the POC and patch have been tested on some sites with success.
This patch has been included in the phpbb 2.0.15 release. Please be sure to read the release in its entirety for the precise update:
Possible alternative patches?
Modsecurity adds a nice layer of security in filtering requests to a website. However, the links above in the POC clearly show the web server may not process them as they are client side driven. Modsecurity would not help in the examples above.
Whitelisting is another method, however it was decided to utilize the blacklist above by phpbb.
*WEB BROWSERS USED
Basic tests were done using Firefox and Internet Explorer. Your own mileage may vary.
Discovery and patch by Papados and Paul Laudanski at http://castlecops.com
Vendor A: phpbb.com Date Discovered: 20 Apr 2005 Patch Given: 20 Apr 2005 Vendor Notified: 20 Apr 2005 Acknowledged: 20 Apr 2005 Patch Released: 7 May 2005 Pre-Full Disclosure: 8 May 2005 Full Disclosure: 02 Jun 2005
Vendor B: (nameless) Vendor Notified: 12 May 2005 Acknowledged: 12 May 2005 Responded: 26 May 2005 (Deemed a non-issue)
*DISCLAIMER AND LICENSE
ALL SUCH INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. CASTLECOPS, ITS AFFILIATES, AND/OR THEIR RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NONINFRINGEMENT.
Subject to terms in the CastleCops AUP:
Paul Laudanski .. Computer Cops, LLC. Microsoft MVP Windows-Security 2005 CastleCops(SM)... http://castlecops.com CCWiki .......... http://wiki.castlecops.com CCForums ........ http://castlecops.com/forums.html
BHO/Toolbars: http://castlecops.com/CLSID.html Windows XP/NT Services: http://castlecops.com/O23.html Extra IE Buttons: http://castlecops.com/O9.html Layered Service Providers: http://castlecops.com/LSPs.html StartupList: http://castlecops.com/StartupList.html
_ Information from Computer Cops, L.L.C. _ This message was checked by NOD32 Antivirus System for Linux Mail Server.
part000.txt - is OK http://castlecops.com
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/