10658848 2003-09-08 21:43 +0000 /21 rader/ <keupon_ps2@yahoo.fr>
Importerad: 2003-09-09 01:13 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28887>
Ärende: XSS vulnerability in phpBB (an other ;-)
------------------------------------------------------------
From: <keupon_ps2@yahoo.fr>
To: bugtraq@securityfocus.com
Message-ID: <20030908214359.3108.qmail@sf-www1-symnsj.securityfocus.com>
Hello, i've just found a new xss vulnerability in phpBB 2.0.6 (i'm not
sure but i don't think that others versions are vulnerable).
This vulnerability is located in the [url][/url] bbcode.
You can insert javascript by doing a thing like that:
[url=www.google.fr" onclick=alert('Hello')]text[/url]
You can find differents ways to steal cookies and to stay discreet,
just put on your brain a few seconds ;-).
Actually, there is no patch available but i have warn phpBB
developpers so i think that they will release a patch in a few days.
PS:excuse me if my english isn't perfect but i'm french ;-).
(10658848) /<keupon_ps2@yahoo.fr>/--------(Ombruten)
Kommentar i text 10663463 av Victor Sheldeshov <mrlomax@mail.ru>
10663463 2003-09-09 10:09 +0400 /27 rader/ Victor Sheldeshov <mrlomax@mail.ru>
Importerad: 2003-09-09 20:27 av Brevbäraren
Extern mottagare: keupon_ps2@yahoo.fr
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: mrlomax@mail.ru
Mottagare: Bugtraq (import) <28897>
Kommentar till text 10658848 av <keupon_ps2@yahoo.fr>
Ärende: Re: XSS vulnerability in phpBB (an other ;-)
------------------------------------------------------------
From: Victor Sheldeshov <mrlomax@mail.ru>
To: keupon_ps2@yahoo.fr, bugtraq@securityfocus.com
Message-ID: <19084321117.20030909100957@mail.ru>
Hello keupon,
Tuesday, September 9, 2003, 1:43:59 AM, you wrote:
kyf> Hello, i've just found a new xss vulnerability in phpBB 2.0.6
(i'm not kyf> sure but i don't think that others versions are
vulnerable). kyf> This vulnerability is located in the [url][/url]
bbcode. kyf> You can insert javascript by doing a thing like that:
kyf> [url=www.google.fr" onclick=alert('Hello')]text[/url]
Think, my phpBB 2.0.5 is not vulnerable.
I posted "[url=www.google.fr" onclick=alert('Hello')]text[/url]" into
the body of the post. No URL link appeared, but I saw the whole
string "[url=www.google.fr" onclick=alert('Hello')]text[/url]" in my
post.
Was I wrong? Where do we need to place that string?
-- Best regards, Victor mailto:mrlomax@mail.ru Topic: Êîãäà
ïðàâèòåëü ãîâîðèò îá çàáîòå î áëàãå íàðîäà, îí õî÷åò çàðó÷èòüñÿ åãî
äîâåðèåì äëÿ î÷åðåäíîãî îáìàíà.
(10663463) /Victor Sheldeshov <mrlomax@mail.ru>/(Ombruten)
10663079 2003-09-09 09:24 +0200 /31 rader/ John Smith <sgaesux@Phreaker.net>
Importerad: 2003-09-09 18:41 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: sgaesux@Phreaker.net
Mottagare: Bugtraq (import) <28891>
Ärende: Re: XSS vulnerability in phpBB (an other ;-)
------------------------------------------------------------
From: "John Smith" <sgaesux@Phreaker.net>
To: <bugtraq@securityfocus.com>
Message-ID: <20030909072405.5AB411A01C8@smtp-1.hotpop.com>
Hello,
You xss didnt work to me, but this "variant" did:
[url=http://www.izhal.com" onclick=alert("bug");"]test[/url]
thanks for pointing the bug :)
asphixia
----------
Hello, i've just found a new xss vulnerability in phpBB 2.0.6 (i'm not
sure but i don't think that others versions are vulnerable).
This vulnerability is located in the [url][/url] bbcode.
You can insert javascript by doing a thing like that:
[url=www.google.fr" onclick=alert('Hello')]text[/url]
You can find differents ways to steal cookies and to stay discreet,
just put on your brain a few seconds ;-).
Actually, there is no patch available but i have warn phpBB
developpers so i think that they will release a patch in a few days.
PS:excuse me if my english isn't perfect but i'm french ;-).
(10663079) /John Smith <sgaesux@Phreaker.net>/(Ombruten)
Kommentar i text 10663441 av Michael Renzmann <security@dylanic.de>
10663441 2003-09-09 18:39 +0200 /16 rader/ Michael Renzmann <security@dylanic.de>
Importerad: 2003-09-09 20:22 av Brevbäraren
Extern mottagare: John Smith <sgaesux@Phreaker.net>
Extern kopiemottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28896>
Kommentar till text 10663079 av John Smith <sgaesux@Phreaker.net>
Ärende: Re: XSS vulnerability in phpBB (an other ;-)
------------------------------------------------------------
From: Michael Renzmann <security@dylanic.de>
To: John Smith <sgaesux@Phreaker.net>
Cc: bugtraq@securityfocus.com
Message-ID: <3F5E0239.5090308@dylanic.de>
Hi.
John Smith wrote:
> [url=http://www.izhal.com" onclick=alert("bug");"]test[/url]
Checked that variant with phpBB 2.0.1 again, and it didn't work as
well. Seems as this version is not vulnerable.
Bye, Mike
(10663441) /Michael Renzmann <security@dylanic.de>/(Ombruten)
10663410 2003-09-09 17:10 +0000 /44 rader/ <omere@hushmail.com>
Importerad: 2003-09-09 20:10 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28894>
Ärende: Re: XSS vulnerability in phpBB (an other ;-)
------------------------------------------------------------
From: <omere@hushmail.com>
To: bugtraq@securityfocus.com
Message-ID: <20030909171006.23428.qmail@sf-www1-symnsj.securityfocus.com>
In-Reply-To: <19084321117.20030909100957@mail.ru>
>Tuesday, September 9, 2003, 1:43:59 AM, you wrote:
>
>kyf> Hello, i've just found a new xss vulnerability in
phpBB 2.0.6 (i'm not
>kyf> sure but i don't think that others versions are
vulnerable).
>kyf> This vulnerability is located in the [url][/url]
bbcode.
>kyf> You can insert javascript by doing a thing like that:
>kyf> [url=www.google.fr" onclick=alert('Hello')]text[/url]
>
> Think, my phpBB 2.0.5 is not vulnerable.
> I posted "[url=www.google.fr"
onclick=alert('Hello')]text[/url]" into
> the body of the post. No URL link appeared, but I saw
the whole
> string "[url=www.google.fr"
onclick=alert('Hello')]text[/url]" in my
> post.
>
> Was I wrong? Where do we need to place that string?
All 2.0.x are vulnerable - that string is missing
a quote before the javascript code, as phpBB will
quote the beginning of the string and the end of it
on it's own (so your quote at the end should not be
there either).
Although browsers will ignore onclick for A, they won't
ignore onblur and so on. So yes, it's vulnerable.
The fix is somewhat simple though, I don't see why
the phpBB folks are taking so long, this is a critical
bug.
--
Omer Efraim
(10663410) /<omere@hushmail.com>/-------------------
10664076 2003-09-09 18:47 +0000 /23 rader/ <keupon_ps2@yahoo.fr>
Importerad: 2003-09-09 22:50 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28906>
Ärende: Re: XSS vulnerability in phpBB (an other ;-)
------------------------------------------------------------
From: <keupon_ps2@yahoo.fr>
To: bugtraq@securityfocus.com
Message-ID: <20030909184728.4292.qmail@sf-www1-symnsj.securityfocus.com>
In-Reply-To: <20030909171006.23428.qmail@sf-www1-symnsj.securityfocus.com>
Excuse me, i've made a little error in my example.
This will not work:
[url=www.google.fr" onclick="alert('Hello')]text[/url]
but this will work (on phbb 2.0.6):
[url=http://www.google.fr" onclick="alert('Hello')]text[/url]
I don't remeber who has said that it will work on every version of
phpBB but i've tested it on phpBB 2.0.4 and it doesn't work. An
other person has said that it only works with this code:
[url=http://www.google.fr" onclick="alert('Hello');"]text[/url] I've
tested it on 2.0.6 and it works but the code without the ;" works
also.
If you make over tests, please, indicate which version of phpBB you
are using.
(10664076) /<keupon_ps2@yahoo.fr>/--------(Ombruten)
10669049 2003-09-09 19:14 -0400 /32 rader/ Steven M. Christey <coley@mitre.org>
Importerad: 2003-09-10 19:57 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28922>
Ärende: Re: XSS vulnerability in phpBB (an other ;-)
------------------------------------------------------------
From: "Steven M. Christey" <coley@mitre.org>
To: bugtraq@securityfocus.com
Message-ID: <200309092314.h89NE1Td026872@linus.mitre.org>
keupon_ps2@yahoo.fr said:
>but this will work (on phbb 2.0.6):
>[url=http://www.google.fr" onclick="alert('Hello')]text[/url]
>
>I don't remeber who has said that it will work on every version of phpBB
>but i've tested it on phpBB 2.0.4 and it doesn't work.
>An other person has said that it only works with this code:
>[url=http://www.google.fr" onclick="alert('Hello');"]text[/url]
>I've tested it on 2.0.6 and it works but the code without the ;" works
>also.
These discrepancies might be due to differences in how web browsers
render "bad" HTML, rather than a quirk in phpBB.
Since the first example URL doesn't have a closing double-quote
character in the onclick value, some browsers may ignore it
altogether.
It seems likely that some types of XSS-style attacks would only work
in certain web browsers.
Which browsers (and versions) were used when testing this bug?
- Steve
(10669049) /Steven M. Christey <coley@mitre.org>/---
10669071 2003-09-09 20:02 -0400 /10 rader/ Everett Feldt <efeldt@cox.net>
Importerad: 2003-09-10 20:02 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <28923>
Ärende: Re: XSS vulnerability in phpBB (an other ;-)
------------------------------------------------------------
From: "Everett Feldt" <efeldt@cox.net>
To: <bugtraq@securityfocus.com>
Message-ID: <GBEPLODAMJFPHJMAIJEAAEJCCCAA.efeldt@cox.net>
Using [url=http://www.google.com "onmouseover="window.close();"]Funny
website[/url]
I was able to get the browser to close. This was done on phpBB 2.0.5
(10669071) /Everett Feldt <efeldt@cox.net>/---------