CERT home
vulnerabilities & fixesevaluations & practicesresearch & analysistraining & education
homesearchFAQsite indexcontact
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

Vulnerability Note VU#113196

phpBB contains an input validation vulnerability in "includes/bbcode.php"

Overview

phpBB fails to sanitize user input, allowing the possible inclusion of active script content in user posts.

I. Description

phpBB is a widely used Open Source bulletin board package written in PHP.

An input validation issue has been identified that allows a malicious phpBB user to include active script code in a post.

The functions to process user input to generate HTML that makes up a user post on the bulletin board fails to prevent the inclusion of active script tags. Version 2.0.15 of phpBB adds code to two functions in "includes/bbcode.php" to blacklist certain active script tags, as an attempt to address this vulnerability. While this may mitigate this vulnerability, in general blacklisting is not an effective counter measure to malicious user input, due to the fact that characters can be encoded in many ways.

II. Impact

Malicious users can post to phpBB bulletin boards and include active script code. For many users the active script code will be executed by their browsers, due to active content being enabled by default in many popularly browsers.


Note that proof of concept code has been made public. There are also reports of the vulnerability being exploited in order to capture
site administrator authentication details, which are then used to perform further attacks unrelated to the phpBB flaw.

III. Solution

The flaw has been addressed in phpBB 2.0.15. For more information on the patch please see:


http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194

Code has been added to the includes/bbcode.php to blacklist certain active script tags, as an attempt to address this vulnerability. In general blacklisting is not an effective counter measure to malicious user input, due to the fact that characters can be encoded in many ways.

As a best practice, users of bulletin board sites and other sites where content is created from untrusted sources, such as the public, should consider turning off all forms of scripting support in their browsers.

More information about injecting code into forums is available in the CERT/CC advisory CA-2000-02.

Systems Affected

VendorStatusDate Updated
PHPBBVulnerable12-May-2005

References


http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194
http://secunia.com/advisories/15298/
http://neosecurityteam.net/Advisories/Advisory-14.txt
http://www.phpbb.com/phpBB/viewtopic.php?t=285815

Credit

The phpBB development team thank PapaDos and Paul/Zhen-Xjell from CastleCops.

This document was written by Robert Mead.

Other Information

Date Public05/08/2005
Date First Published05/12/2005 01:23:01 PM
Date Last Updated05/12/2005
CERT Advisory 
CVE Name 
Metric10.24
Document Revision9

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Copyright 2005 Carnegie Mellon University