Summary: | www-apps/phpBB: 2.0.15 includes security fixes | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Adir Abraham <adirab> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | security-audit, web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.securityfocus.com/bid/13344/info/ | ||
Whiteboard: | B4? [glsa] lewk | ||
Package list: | Runtime testing required: | --- |
Description
Adir Abraham
2005-04-24 03:24:23 UTC
phpBB 2.0beta1 up up to phpBB 2.0.14 are vulnerable. *** Bug 90214 has been marked as a duplicate of this bug. *** [merged from bug 90214] from securityfocus.com: phpBB is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. Versions 2.0beta1 up to 2.0.14 are vulnerable web-apps, please advise. Unfortunately (or fortunately?) I don't know PHP so I am unable to try and patch it. If anyone else wants to take a stab, feel free. Otherwise, we'll have to wait on upstream. Some snippets from my conversation on IRC - - - 09:27 <@NeoThermic> lewk^: It has been noted and investigated, but as far as I can see its only a bug rather than a secuirty issue. Granted though, if you know diffrent, or we find diffrent, we will let everyone know :) 09:28 <@NeoThermic> lewk^: and as for the line posting to admin_forums.php, a) you need admin for that, and b) its always been that the admin can put any HTML in the forum description. Its not even a bug that one. 09:32 <@NeoThermic> without confiring with the teams, I can't say anything offical about them, since they might have more to say. But in my view the former one over \[ in the url is a bug, and the latter one requires admin access anyway, so its a bit of a strech, don't you think? 09:34 <@NeoThermic> I'll put it this way, if it was a secuirty risk, we would have new packages out in a matter of hours :) - - - I guess we could sit on this bug for a bit and see if upstream makes a new release soon. Audit Team, anyone willing to take a look? phpBB 2.0.15 released: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194 Though not sure it fixes this vulnerability it fixes a serious issue in includes/bbcode.php web-apps please bump. Lewk please check wether it fixes the original issue and the impact of the current issue. 2.0.15 in CVS. Lewk, if you think everything's A-OK, then go ahead and CC ppc@ if you would. 2.0.15 does not exist on any sourceforge mirror - pretty hard to test... :-) Hmmm - the digest obviously needs fix... !!! Digest verification Failed: !!! /usr/portage/distfiles/phpBB-2.0.15.tar.bz2 !!! Reason: Filesize does not match recorded size # ls -ls /usr/portage/distfiles | grep phpBB-2.0.15 436 -rw-r--r-- 1 root portage 443750 May 7 16:21 phpBB-2.0.15.tar.bz2 # cat /usr/portage/www-apps/phpBB/files/digest-phpBB-2.0.15 MD5 a8e71358ccc758ec3b7aa98dfe504497 phpBB-2.0.15.tar.bz2 443698 hmmm well I downloaded the tarball from a SF mirror.... Works now, tnx. ;-) according to <@NeoThermic> in #phpbb, 2.0.15 fixes the original issue (XSS-Vulns, btw no real security issue) and the more serious problem in includes/bbcode.php. ppc: please test and mark 2.0.15 stable Tested and marked stable on ppc. http://securitytracker.com/alerts/2005/May/1013918.html security, pls vote on GLSA need I vote YES. I vote yes too. Any idea of the impact ? http://securitytracker.com/alerts/2005/May/1013918.html says the following about Impact: A remote user may be able to cause arbitrary scripting code to be executed by the target user's browser. GLSA 200505-10 |