From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on finch.gentoo.org X-Spam-Level: X-Spam-Status: No, score=0.2 required=5.0 tests=DMARC_QUAR,MAILING_LIST_MULTI autolearn=no autolearn_force=no version=4.0.0 Received: from odin.tripledes.net (93-BARC-X32.libre.retevision.es [62.82.10.93]) by chiba.3jane.net (Postfix) with ESMTP id 77874ABD50 for ; Wed, 12 Jun 2002 13:44:24 -0500 (CDT) Received: from thor.tripledes.net (thor [192.168.1.21]) by odin.tripledes.net (8.12.3/8.12.3) with SMTP id g5CIiTEp030045 for ; Wed, 12 Jun 2002 20:44:30 +0200 (CEST) (envelope-from TripleDES@eSlack.org) Date: Wed, 12 Jun 2002 20:44:37 +0000 From: Sergio Jimenez Romero To: gentoo-dev@gentoo.org Message-Id: <20020612204437.56aa8ad9.TripleDES@eSlack.org> Organization: HispaBSD X-Mailer: Sylpheed version 0.7.6claws (GTK+ 1.2.10; i386--netbsdelf) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: [gentoo-dev] phpBB Sender: gentoo-dev-admin@gentoo.org Errors-To: gentoo-dev-admin@gentoo.org X-BeenThere: gentoo-dev@gentoo.org X-Mailman-Version: 2.0.6 Precedence: bulk Reply-To: gentoo-dev@gentoo.org List-Help: List-Post: List-Subscribe: , List-Id: Gentoo Linux developer list List-Unsubscribe: , List-Archive: X-Archives-Salt: 6217ec33-88c1-4376-a369-90660f964ac8 X-Archives-Hash: 0473d8d181a9b2e980487be71d282f5a I'm watching at forums.gentoo.org, and see that you are using phpBB 2.0.0, and a few days ago in bugtraq there was an advisory about this forum. Advisory: From: Martijn Boerwinkel To: bugtraq@securityfocus.com Subject: Cross Site Scripting Vulnerability in phpBB2's [IMG] tag and remote avatar Date: 26 May 2002 17:59:33 +0200 X-Mailer: Ximian Evolution 1.0.5 phpBB2 Cross Site Scripting Vulnerability -------------------------------------------- Affected Program: phpBB2 version 2.0.0 (possibly earlier versions too, but not tested) Vendor: http://www.phpbb.com Vendor Status: informed on 24/04/2002, fixed issued on 20/05/2002 Discovery Date: 24/04/2002 Release Date: 26/05/2002 Vulnerability Class: Cross Site Scripting Severity -------- Malicious users can steal other user's and admin's cookies, allowing them to impersonate other users on the board and access to the administration panel. Problem ------- The problem is very similar to SQL injection. phpBB2 uses a user provided string (through the [IMG] tag) in the following HTML tag: While there is a check to force the string to begin with "http://" it doesn't disallow ". That means a malicious user can escape the src="" in the HTML tag and insert his own html code. This same problem also exists in the remote avatar part of the user profile. Example ------- Enter the following anywhere in a message: [img]http://a.a/a"onerror="javascript:alert(document.cookie)[/img] When reading that message it should popup an alert box with your cookies. Solutions --------- * Upgrade to 2.0.1 -- XiM (#icerealm on irc.icerealm.net) ----------------------------- Well, if you didn't know, now you know...hehe, sorry about my english :-) best regards. -- When tux flies, Chuck will die... TripleDES - http://bsdsite.no-ip.org