Vulnerability Note VU#113196

phpBB contains an input validation vulnerability in "includes/bbcode.php"

Original Release date: 12 May 2005 | Last revised: 12 May 2005

Overview

phpBB fails to sanitize user input, allowing the possible inclusion of active script content in user posts.

Description

phpBB is a widely used Open Source bulletin board package written in PHP.

An input validation issue has been identified that allows a malicious phpBB user to include active script code in a post.

The functions to process user input to generate HTML that makes up a user post on the bulletin board fails to prevent the inclusion of active script tags. Version 2.0.15 of phpBB adds code to two functions in "includes/bbcode.php" to blacklist certain active script tags, as an attempt to address this vulnerability. While this may mitigate this vulnerability, in general blacklisting is not an effective counter measure to malicious user input, due to the fact that characters can be encoded in many ways.

Impact

Malicious users can post to phpBB bulletin boards and include active script code. For many users the active script code will be executed by their browsers, due to active content being enabled by default in many popularly browsers.


Note that proof of concept code has been made public. There are also reports of the vulnerability being exploited in order to capture
site administrator authentication details, which are then used to perform further attacks unrelated to the phpBB flaw.

Solution

The flaw has been addressed in phpBB 2.0.15. For more information on the patch please see:


http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194

Code has been added to the includes/bbcode.php to blacklist certain active script tags, as an attempt to address this vulnerability. In general blacklisting is not an effective counter measure to malicious user input, due to the fact that characters can be encoded in many ways.

As a best practice, users of bulletin board sites and other sites where content is created from untrusted sources, such as the public, should consider turning off all forms of scripting support in their browsers.

More information about injecting code into forums is available in the CERT/CC advisory CA-2000-02.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
PHPBBAffected-12 May 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The phpBB development team thank PapaDos and Paul/Zhen-Xjell from CastleCops.

This document was written by Robert Mead.

Other Information

  • CVE IDs: Unknown
  • Date Public: 08 May 2005
  • Date First Published: 12 May 2005
  • Date Last Updated: 12 May 2005
  • Severity Metric: 10.24
  • Document Revision: 9

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.