You are missing our premiere tool bar navigation system! Register and use it for FREE!

NukeCops  
•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
Modules
· Home
· FAQ
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· PHP-Nuke HOWTO
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 530 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
phpBB vulnerability
Securityintel352 writes "Found this link on phpbb.com's mainpage: article.

Turns out there is a cross-site scripting weakness when HTML is enabled in phpbb forums (primarily the tag). To eliminate the weakness, disable HTML in your phpbb forums.
Read the article for the full info."
Posted on Saturday, August 16 @ 10:00:00 CEST by Zhen-Xjell
 
Related Links
· Computer Cops
· More about Security
· News by Zhen-Xjell


Most read story about Security:
PHP-Nuke admin.php security hole - PATCHED

Article Rating
Average Score: 0
Votes: 0

Please take a second and vote for this article:

Excellent
Very Good
Good
Regular
Bad


Options

 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend

Threshold
The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: phpBB vulnerability (Score: 1)
by VinDSL on Sunday, August 17 @ 02:48:19 CEST
(User Info | Send a Message) http://www.lenon.com/

Excuse me, but how is this any different than allowing HTML tags on the rest of the site, like this Comment Section for instance? And, if the HTML tags don't allow cross-site scripting in PHP-Nuke, why would they work in phpBB, but not the rest of the site?

Hrm... something doesn't add up here...



Re: phpBB vulnerability (Score: 1)
by intel352 on Sunday, August 17 @ 03:42:25 CEST
(User Info | Send a Message) http://www.nukebbmods.net
i'm just pointing out the forum vulnerability... i dunno if the same vulnerability exists in nuke, but if the nuke html parser checks for stuff like javascript in urls, then maybe that stops the vulnerability....

no clue tho.

so, since BBCode is so much more secure, it'd be pretty interesting to see someone release a version of Nuke with bbcode support hacked in, with admin controls to enable/disable tags, etc

THAT would be nice ;)



Re: phpBB vulnerability (Score: 1)
by intel352 on Sunday, August 17 @ 03:44:03 CEST
(User Info | Send a Message) http://www.nukebbmods.net
btw, in the news post, it says 'primarily the tag', that was meant to be 'primarily the [a] tag' (replace the brackets with regular html brackets)



Re: phpBB vulnerability (Score: 1)
by VinDSL on Sunday, August 17 @ 07:30:42 CEST
(User Info | Send a Message) http://www.lenon.com/

I just went to my site a turned on HTML tags in phpBB. Then I tried to inject some Javascript into a message. When I tried to preview it or save it, all it did was return me to the home page. Then I tried it with HTML turned off with the same result[s].

I'm 99.9% sure that it's being blocked by mainfile.php, so I don't think there's any problem with leaving HTML enabled in phpBB, as far as cross-site scripting is concerned, since it's wrapped in PHP-Nuke.

Now, in the standalone product, it may be a totally different situation. phpBB doesn't have Nuke to protect it... :)



Re: phpBB vulnerability (Score: 1)
by VinDSL on Sunday, August 17 @ 08:12:15 CEST
(User Info | Send a Message) http://www.lenon.com/

Apologies to intel352!

I just reread the article and went back to my site and tested phpBB again. I turned on HTML and enabled the anchor tag. Then I injected the code again, but this time in HEX. Guess what? It didn't have any problem at all providing a link to a CGI script on my site. I would guess the meta character filters on phpBB aren't working right.

Good catch! I'm turning off HTML in phpBB and leaving it off...


Powered by TOGETHER TEAM srl ITALY http://www.togetherteam.it - DONDELEO E-COMMERCE http://www.DonDeLeo.com - TUTTISU E-COMMERCE http://www.tuttisu.it
Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.111 Seconds - 215 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded (www.nukemods.com) ::