from securityfocus.com: phpBB is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. Reproducible: Always Steps to Reproduce: 1. 2. 3.
phpBB 2.0beta1 up up to phpBB 2.0.14 are vulnerable.
*** Bug 90214 has been marked as a duplicate of this bug. ***
[merged from bug 90214] from securityfocus.com: phpBB is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. Versions 2.0beta1 up to 2.0.14 are vulnerable
web-apps, please advise.
Unfortunately (or fortunately?) I don't know PHP so I am unable to try and patch it. If anyone else wants to take a stab, feel free. Otherwise, we'll have to wait on upstream.
Some snippets from my conversation on IRC - - - 09:27 <@NeoThermic> lewk^: It has been noted and investigated, but as far as I can see its only a bug rather than a secuirty issue. Granted though, if you know diffrent, or we find diffrent, we will let everyone know :) 09:28 <@NeoThermic> lewk^: and as for the line posting to admin_forums.php, a) you need admin for that, and b) its always been that the admin can put any HTML in the forum description. Its not even a bug that one. 09:32 <@NeoThermic> without confiring with the teams, I can't say anything offical about them, since they might have more to say. But in my view the former one over \[ in the url is a bug, and the latter one requires admin access anyway, so its a bit of a strech, don't you think? 09:34 <@NeoThermic> I'll put it this way, if it was a secuirty risk, we would have new packages out in a matter of hours :) - - - I guess we could sit on this bug for a bit and see if upstream makes a new release soon. Audit Team, anyone willing to take a look?
phpBB 2.0.15 released: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194 Though not sure it fixes this vulnerability it fixes a serious issue in includes/bbcode.php web-apps please bump. Lewk please check wether it fixes the original issue and the impact of the current issue.
2.0.15 in CVS. Lewk, if you think everything's A-OK, then go ahead and CC ppc@ if you would.
2.0.15 does not exist on any sourceforge mirror - pretty hard to test... :-)
http://www.phpbb.com/files/releases/phpBB-2.0.15.tar.bz2
Hmmm - the digest obviously needs fix... !!! Digest verification Failed: !!! /usr/portage/distfiles/phpBB-2.0.15.tar.bz2 !!! Reason: Filesize does not match recorded size # ls -ls /usr/portage/distfiles | grep phpBB-2.0.15 436 -rw-r--r-- 1 root portage 443750 May 7 16:21 phpBB-2.0.15.tar.bz2 # cat /usr/portage/www-apps/phpBB/files/digest-phpBB-2.0.15 MD5 a8e71358ccc758ec3b7aa98dfe504497 phpBB-2.0.15.tar.bz2 443698
hmmm well I downloaded the tarball from a SF mirror....
Works now, tnx. ;-)
according to <@NeoThermic> in #phpbb, 2.0.15 fixes the original issue (XSS-Vulns, btw no real security issue) and the more serious problem in includes/bbcode.php.
ppc: please test and mark 2.0.15 stable
Tested and marked stable on ppc.
http://securitytracker.com/alerts/2005/May/1013918.html security, pls vote on GLSA need
I vote YES.
I vote yes too. Any idea of the impact ?
http://securitytracker.com/alerts/2005/May/1013918.html says the following about Impact: A remote user may be able to cause arbitrary scripting code to be executed by the target user's browser.
GLSA 200505-10
