You are missing our premiere tool bar navigation system! Register and use it for FREE!

•  Home •  Downloads •  Gallery •  Your Account •  Forums • 
Readme First
- Readme First! -

Read and follow the rules, otherwise your posts will be closed
· Home
· Buy a Theme
· Advertising
· AvantGo
· Bookmarks
· Columbia
· Community
· Donations
· Downloads
· Feedback
· Forums
· Private Messages
· Search
· Statistics
· Stories Archive
· Submit News
· Surveys
· Theme Gallery
· Top
· Topics
· Your Account
Who's Online
There are currently, 244 guest(s) and 0 member(s) that are online.

You are Anonymous user. You can register for free by clicking here
phpBB Cross Site Scripting Vulnerability
Securitysnake13 writes "For those people operating phpBB with HTML enabled we have been notified by Marvin Massih of a possible cross site scripting issue. It will affect primarily those who have enabled the (anchor tag) but it may impact certain other tags too depending on what functionality they offer.

The problem occurs because users may enter "javascript:" within a given url ... which can of course be used to grab local cookie (for example) information from the client.

At this time we advise everyone with HTML enabled to remove the a tag from the list of allowed tags (Admin Panel -> General -> Configuration -> Allowed tags). There really is no reason to allow the anchor tag anyway, BBCode provides appropriate functionality for linking."
Posted on Wednesday, August 20 @ 10:00:00 CEST by Zhen-Xjell
Related Links
· Computer Cops
· More about Security
· News by Zhen-Xjell

Most read story about Security:
PHP-Nuke admin.php security hole - PATCHED

Article Rating
Average Score: 5
Votes: 3

Please take a second and vote for this article:

Very Good


 Printer Friendly Page  Printer Friendly Page

 Send to a Friend  Send to a Friend

The comments are owned by the poster. We aren't responsible for their content.

No Comments Allowed for Anonymous, please register

Re: phpBB Cross Site Scripting Vulnerability (Score: 1)
by intel352 on Wednesday, August 20 @ 10:01:06 CEST
(User Info | Send a Message)
lol, i just submitted the same news a few days ago :-X

tho i just gave the link to the article

Word to the wise... (Score: 1)
by VinDSL on Wednesday, August 20 @ 19:34:52 CEST
(User Info | Send a Message)

And I can confirm this. I was able to perform CGI XSS with phpBB 2.0.6 using Javascript coded in hex. If nothing else, make sure the anchor tag is disabled in phpBB.

Re: phpBB Cross Site Scripting Vulnerability (Score: 1)
by Jeruvy on Thursday, August 21 @ 09:05:24 CEST
(User Info | Send a Message)
Here is the exploit as posted on Bugtraq by
Hi, I have found a dangerous vunlerability in phpBB. I've verified that versions 2.0.5 and 2.0.4 (AFAIK the two latest versions) are affected, but probably more versions are vulnerable. If HTML is enabled for postings, a user can post a link like this: Click me, I'm innocent If a user clicks it, his cookie will be sent to the attacker, which he can use to log on as the user if autologon is enabled. I reported this vulnerability to the phpBB developers (which wasn't that easy as they had trouble with their mail server), that was about three weeks ago. However, the developers don't want to fix it: "The main developer decided that this isn't a security issue, because it is not able to re-parse every single allowed html tag. The bbcode tag [url] is absolutely suitable for displaying urls, therefore allowing the a html tag is a risk the Administrator has to take." Again, I asked them to fix it, I couldn't believe they were serious. This time I told them they should do something soon - or at least tell me that they're working on it - , otherwise I'd finally publish the information. The response was: "Actually, after second thoughts I don't see this issue as a security flaw on our side, enabling unchecked HTML is taking the same risk as allowing users to use tags. I'm in favor of putting a notice warning the admin of the potential security risk when enabling given tags but trying to fix that on our side will cause more problems that it will solve." So, I'm publishing this information now, hoping that this will help. AFAIK a new version, 2.0.6 is out now, but as they refused fixing this issue I don't know if there is any difference. Regards, Marvin

Web site engine's code is Copyright © 2002 by PHP-Nuke. All Rights Reserved. PHP-Nuke is Free Software released under the GNU/GPL license.
Page Generation: 0.033 Seconds - 152 pages served in past 5 minutes. Nuke Cops Founded by Paul Laudanski (Zhen-Xjell)
:: FI Theme :: PHP-Nuke theme by coldblooded ( ::