search menu icon-carat-right cmu-wordmark

CERT Coordination Center

phpBB contains an input validation vulnerability in "includes/bbcode.php"

Vulnerability Note VU#113196

Original Release Date: 2005-05-12 | Last Revised: 2005-05-12

Overview

phpBB fails to sanitize user input, allowing the possible inclusion of active script content in user posts.

Description

phpBB is a widely used Open Source bulletin board package written in PHP.

An input validation issue has been identified that allows a malicious phpBB user to include active script code in a post.

The functions to process user input to generate HTML that makes up a user post on the bulletin board fails to prevent the inclusion of active script tags. Version 2.0.15 of phpBB adds code to two functions in "includes/bbcode.php" to blacklist certain active script tags, as an attempt to address this vulnerability. While this may mitigate this vulnerability, in general blacklisting is not an effective counter measure to malicious user input, due to the fact that characters can be encoded in many ways.

Impact

Malicious users can post to phpBB bulletin boards and include active script code. For many users the active script code will be executed by their browsers, due to active content being enabled by default in many popularly browsers.


Note that proof of concept code has been made public. There are also reports of the vulnerability being exploited in order to capture
site administrator authentication details, which are then used to perform further attacks unrelated to the phpBB flaw.

Solution

The flaw has been addressed in phpBB 2.0.15. For more information on the patch please see:


http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194

Code has been added to the includes/bbcode.php to blacklist certain active script tags, as an attempt to address this vulnerability. In general blacklisting is not an effective counter measure to malicious user input, due to the fact that characters can be encoded in many ways.

As a best practice, users of bulletin board sites and other sites where content is created from untrusted sources, such as the public, should consider turning off all forms of scripting support in their browsers.

More information about injecting code into forums is available in the CERT/CC advisory CA-2000-02.

Vendor Information

113196
 
Affected   Unknown   Unaffected

PHPBB

Updated:  May 12, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

US-CERT has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

The phpBB development team thank PapaDos and Paul/Zhen-Xjell from CastleCops

This document was written by Robert Mead.

Other Information

CVE IDs: None
Severity Metric: 10.24
Date Public: 2005-05-08
Date First Published: 2005-05-12
Date Last Updated: 2005-05-12 20:14 UTC
Document Revision: 9

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.