| View previous topic :: View next topic |
| Author |
Message |
JeiAr
Site Admin
Joined: 26 Nov 2021
Posts: 207
|
| Posted: Thu Mar 25, 2022 4:49 am Post subject: phpBB 2.0.7a And Earlier Exploitation |
|
|
Ya know, I was thinking about something. Lets say a board has 10,000 posts, and five admins. If you sent each admin 2,000 image links in a private message each you could wipe out the entire board. In alot of cases they would be so confused by seeing 2,000 broken images in thier PM that they would probably watch it long enough for most and maybe all 2,000 delete requests to be executed.
Now maybe some people will see why I was just astonished by this
| Quote: | | As I made clear in correspondence with this user the issues raised are of very very low priority in mine and others opinions. I'll explain why ... |
http://www.gulftech.org/vuln/phpBBhuh.mht
_________________
GulfTech Research And Development |
|
| Back to top |
|
 |
Aapje
Lurker
Joined: 24 Mar 2022
Posts: 4
|
| Posted: Thu Mar 25, 2022 1:33 pm Post subject: Re: phpBB 2.0.7a And Earlier Exploitation |
|
|
| JeiAr wrote: | Ya know, I was thinking about something. Lets say a board has 10,000 posts, and five admins. If you sent each admin 2,000 image links in a private message each you could wipe out the entire board. In alot of cases they would be so confused by seeing 2,000 broken images in thier PM that they would probably watch it long enough for most and maybe all 2,000 delete requests to be executed.
Now maybe some people will see why I was just astonished by this
| Quote: | | As I made clear in correspondence with this user the issues raised are of very very low priority in mine and others opinions. I'll explain why ... |
http://www.gulftech.org/vuln/phpBBhuh.mht |
well, 1000 lines are 80 kb, 1100000 are 90 mb  ,so it is possible to send them 5000 lines, they have 960000 posts... so ik would delete the last 5000 posts  . Also, on phpnuke.org im gonna test if i can make myself admin |
|
| Back to top |
|
|
JeiAr
Site Admin
Joined: 26 Nov 2021
Posts: 207
|
|
| Back to top |
|
|
JeiAr
Site Admin
Joined: 26 Nov 2021
Posts: 207
|
| Posted: Fri Apr 02, 2022 2:46 am Post subject: |
|
|
It should also be noted that while phpBB did fix it to where you would have to use malicious links instead of malicious images to delete posts and the like (some fix, huh?) there is one place that they did not fix and that is the option to link your avatar to an offsite file. You can just throw a command in there and it will be executed when a user views a post or your profile.
_________________
GulfTech Research And Development |
|
| Back to top |
|
|
Obscurity
Lurker
Joined: 24 Mar 2022
Posts: 8
|
| Posted: Fri Apr 02, 2022 5:45 am Post subject: |
|
|
| Is the exploit only for post deletions? I would assume not, and that it would be able to pursue other injections such as setting one to SAdmin etc. Just checking it's 3:30am and I'm pretty bored. |
|
| Back to top |
|
|
JeiAr
Site Admin
Joined: 26 Nov 2021
Posts: 207
|
| Posted: Thu Apr 15, 2022 9:41 pm Post subject: |
|
|
Yeah, you can take over accounts. Here is an example.
| Code: |
<html>
<head>
<script>
<!--
function submit () {
document.getElementById('login_form').submit();
};
//-->
</script>
</head>
<body onLoad='submit();'>
<form method=post action="http://someurl" autocomplete=off name=login_form id=login_form onsubmit="return alert(document.forms['login_form'].login.value)">
<!- Put your Evil Form Shit Here! -->
<input type="hidden" name="blah" value="1">
<!- / Put your Evil Form Shit Here! -->
</form>
</body>
</html>
|
Once a link is visted the form is submitted and the commands are executed due to improper session auth.
_________________
GulfTech Research And Development |
|
| Back to top |
|
|
tautology
Lurker
Joined: 19 Aug 2021
Posts: 7
|
| Posted: Thu Aug 19, 2021 11:06 pm Post subject: |
|
|
What I have noticed is that you can put an image in your signature or avatar that appears to be a valid image URL, but it is really a script which HTTP redirects to one of those malicious URLs. The admin would have a very difficult time finding out which URL caused this, or even suspecting that it was a redirect in the first place. You could have the URL redirect to delete a random post ID, and as the admins browse, random posts get deleted, and the admins might suspect a database issue first, or maybe they will just cast it off as people being stupid and thinking that their posts were disappearing. I completely agree that the vulnerability you found is a serious issue. Anyone who has read the HTTP spec has been warned about it. It is silly.
I just posted about the use of HTTP redirects on phpBB's security tracker, to show them how easy it is to hide such an attack. Both phpBB and XMB have vulnerable logout URLs, and I have notified both phpBB and XMB that I think that just the logout URL alone being vulnerable, due to how easy it is to hide the attack, is a serious issue, since it would be so difficult to stop.
When I read your post about this issue a few months ago, I thought of using HTTP redirects here. I figured that phpBB used your provided patch, since it stops HTTP redirects from working, but in the last few days I checked up on it, and it appears that they still rely on the stupid extension checker, at least for logout. That is just silly. I have image URLs that have no extension, and I want those to work. They should just follow the standards.
HTTP redirects mixed with vulnerabilities like the one you found make attacks that are very effective and difficult to trace, and I think it should be brought up again. |
|
| Back to top |
|
|
JeiAr
Site Admin
Joined: 26 Nov 2021
Posts: 207
|
| Posted: Thu Aug 19, 2021 11:47 pm Post subject: |
|
|
Yeah, and til this day they are still vuln to cross site request forgeries.
_________________
GulfTech Research And Development |
|
| Back to top |
|
|
tautology
Lurker
Joined: 19 Aug 2021
Posts: 7
|
|
| Back to top |
|
|
tautology
Lurker
Joined: 19 Aug 2021
Posts: 7
|
| Posted: Sun Sep 12, 2021 1:43 pm Post subject: |
|
|
I was very polite in my report, and never said anything like "dumb". I finally got a reply from "Acyd Burn":
| Quote: | We know what is possible and i do not want to re-iterate everything here.
We get these "reports" from time to time where "smart" people reminds us that we are too dumb to fix the img bbcode issues properly. Do you not think we are able to think up the possibilities of this? But at one point you are not gaining much if you implement other measures, at one point you are not gaining more security.
We have been through this many times. Closed. |
I don't understand why they don't just apply your patch. It is not very big, and it isn't hard to understand. I don't understand what the big deal is. Seems like it is entirely a pride issue because of their bad experience with security people making fun of them or something.
The "you are not gaining more security" comment is a joke. The "other measures" are simple. It is as if he thinks it is something really obscure. The HTTP spec itself warns against it. It looks like it is time for some PoC code to walk all over it, and see him say "not gaining much security" then.
I would respect someone much more having a huge vuln and fixing it than this medium vuln and being too stubborn to fix it. "Do you not think we are able to think up the possibilities of this?" Well, I assumed that if they could think of that stuff, they wouldn't be writing code that would let those possibilities exist because I assumed they would care. |
|
| Back to top |
|
|
K9
Lurker
Joined: 24 Aug 2021
Posts: 1
|
| Posted: Tue Sep 14, 2021 5:01 pm Post subject: |
|
|
Exellent post. I watch from afar what you guys are doing please keep up the good work.
Im curious is it possible for this exploit to run an Active X on the HTTP redirect. If so then the implications really are limitless in how much damage could be done to client side computers.
K9
_________________
Leaders are like eagles. We dont have either of them here. |
|
| Back to top |
|
|
JeiAr
Site Admin
Joined: 26 Nov 2021
Posts: 207
|
| Posted: Tue Sep 14, 2021 8:57 pm Post subject: |
|
|
Well, as I have shown in the past, the easiest way to do that is just link an external script. For example, look at my LiveWorld POC's I could have used them to spoof login forms, steal cookies, and much more.
BTW, thanks for the kind words
_________________
GulfTech Research And Development |
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
