Filing this for the forum devs.
[phpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22]
Author: Maksymilian Arciemowicz (cXIb8O3)
from securityreason.com TEAM
--- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source
bulletin board package. phpBB has a user-friendly interface, simple and
straightforward administration panel, and helpful FAQ. Based on the powerful
PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or
Access/ODBC database servers, phpBB is the ideal free community solution for
all web sites.
Contact with author http://www.phpbb.com/about.php.
--- 1. XSS ---
If in phpbb is Allowed HTML tags "ON" like b,i,u,pre and have you in profile
"Always allow HTML: YES" or are you Guest
that you can use this tags:
<B C=">" onmouseover="alert('SecurityReason.Com')" X="<B "> H E L O </B>
X="<B "> H A L O </B>
and have you cookies.
--- 2. Full Path Disclosure ---
In file admin/admin_disallow.php is
if( !empty($setmodules) )
$filename = basename(__FILE__);
$module['Users']['Disallow'] = append_sid($filename);
function append_sid() dosen't exists. And if you have:
register_globals = On
display_errors = On
Try to go:
Fatal error: Call to undefined function: append_sid()
in /www/2018/phpBB2/admin/admin_disallow.php on line 28
Our forums aren't affected by this as we have both HTML and register_globals switched off.
This looks very limited.
- XSS if Allowed HTML tags is set to "ON"
- Path disclosure if PHP has register_globals = On and display_errors = On
Those are non-standard settings... Closing this one, feel free to reopen if phpBB releases a new version.
*** Bug 117560 has been marked as a duplicate of this bug. ***
2.0.19 is out, if you want to revisit this.
Well, phpBB is still security-masked as a semi-permanent security PITA so no, I don't want to revisit this. However www-apps can still bump it to 2.0.19 if they want to, since lots of users security_unmask the thing and accept the risk.
2.0.19 in CVS, just FYI