There were discovered two new xss vulnerabilities in phpbb <2.0.7: PHPBB ViewTopic.PHP "postdays" Cross-Site Scripting Vulnerability http://www.securityfocus.com/bid/9865 and PHPBB ViewForum.PHP "topicdays" Cross-Site Scripting Vulnerability http://www.securityfocus.com/bid/9866 Reproducible: Didn't try Steps to Reproduce: 1. 2. 3. Info from Bugtraq: 1) It has been reported that one of the scripts included with phpBB is prone to a cross-site scripting vulnerability. According to the author of the report, the script "viewtopic.php" returns the value of the HTML variable "postdays" to the client as its output without encoding it or otherwise removing potentially hostile content. This can be exploited by constructing malicious links with the malicious "postdays" variable value embedded as a GET request style HTML variable. If the target user visits such a link, the malicious, externally created content supplied in the link will be rendered (or executed, in the case of script code) as part of the viewtopic.php document and within the context of the vulnerable website (including the phpBB forum). 2) It has been reported that one of the scripts included with phpBB is prone to a cross-site scripting vulnerability. According to the author of the report, the script "viewforum.php" returns the value of the HTML variable "topicdays" to the client as its output without encoding it or otherwise removing potentially hostile content. This can be exploited by constructing malicious links with the malicious "topicdays" variable value embedded as a GET request style HTML variable. If the target user visits such a link, the malicious, externally created content supplied in the link will be rendered (or executed, in the case of script code) as part of the viewtopic.php document and within the context of the vulnerable website (including the phpBB forum). Both bugs have been fixed in phpBB 2.0.7.
I just saw, that there are some more vulnerabilities in phpbb for which no fixes yet exist: SQL Injection Vulnerability: http://www.securityfocus.com/bid/9883/info/ A vulnerability has been reported to exist in the software that may allow a remote user to inject malicious SQL syntax into database queries. The problem reportedly exists in one of the parameters of the search.php script. This issue is caused by insufficient sanitization of user-supplied data. A remote attacker may exploit this issue to influence SQL query logic to disclose sensitive information that could be used to gain unauthorized access. PhpBB admin_words.php Multiple Vulnerabilities: http://www.securityfocus.com/bid/9896/info/ It has been reported that PhpBB may be prone to multiple vulnerabilities that may allow an attacker to carry out SQL injection and cross-site scripting attacks. These issues are reported to affect the 'id' parameter of 'admin_words.php' module. The SQL injection attack requires administrator level access. PhpBB version 2.0.6c has been reported to be affected by these issues, however, it is possible that other versions are affected as well. A posting in bugtraq gives some additional information and a bugfix for the admin files: http://www.securityfocus.com/archive/1/358196/2004-03-20/2004-03-26/0
2.0.7a http://www.phpbb.com/phpBB/viewtopic.php?t=182281&sid=1c108b36e40e8dc6203a04ed80be9741 please raise severity / fix it
2.0.8 - This release had been made to fix a number of critical security related issues. Work continues on 2.2.0 and again we do not plan on further releases of 2.0.x except where critical issues arise. http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=183982
=<2.0.8 is apparently already vulnerable to a SQL injection bug in privmsg.php - that will reveal the admin's username and password hash. (http://www.securityfocus.com/archive/1/358708/2004-03-23/2004-03-29/0) http://www.nettwerked.co.uk/code/privmsg-sqlinj.patch fixes it. (http://www.securityfocus.com/archive/1/358751/2004-03-23/2004-03-29/0)
Can somebody from web-apps please bump this and add the fix from comment #4
-- to all security@go : I will take security ownership for this one. The patch from comment #4 is included in 2.0.8a packages, we should probably bump the ebuild to that (instead of patching 2.0.8 ourselves). -K
Could someone from web-apps@gentoo.org bump the ebuild to 2.0.8a ? It should not generate any problems, and we're getting late on these vulns. Thanks
Okay, I'm working on it now. Stu
Okay, version 2.0.8a is now in Portage. Best regards, Stu
Thanks stuart. Since phpBB packages have never been marked stable on any arch, we will not issue a GLSA for this one. -K