phpBB2Refugees.com Logo
Not affiliated with or endorsed by the phpBB Group

Register •  Login 

Continue the legacy...

Welcome to all phpBB2 Refugees!Wave Smilie

This site is intended to continue support for the legacy 2.x line of the phpBB2 bulletin board package. If you are a fan of phpBB2, please, by all means register, post, and help us out by offering your suggestions. We are primarily a community and support network. Our secondary goal is to provide a phpBB2 MOD Author and Styles area.

The Final phpBB 2 Security Vulnerability
1 members found this topic helpful
Goto page Previous  1, 2, 3 ... 10, 11, 12, 13, 14  Next
 
Search this topic... | Search phpBB2 Discussion... | Search Box
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Author Message
Mrs Moo Moo
Board Member



Joined: 09 Mar 2009

Posts: 21



PostPosted: Sat Jun 20, 2009 2:54 am 
Post subject: Re: The Final phpBB 2 Security Error

It doesn't. The session identifier is only used on the confirmation screen because phpBB hasn't confirmed whether cookies are enabled in your browser yet.

Plus there aren't any external images or links on the Index Page (and that includes redirects - it links to viewforum.php and does a HTTP redirect).
Back to top
aswegeegew
Board Member



Joined: 15 Sep 2009

Posts: 3



PostPosted: Tue Sep 15, 2009 7:29 pm 
Post subject: Re: The Final phpBB 2 Security Error

---
Back to top
Ptirhiik
Board Member



Joined: 19 Nov 2008

Posts: 114


flag
PostPosted: Tue Sep 15, 2009 8:09 pm 
Post subject: Re: The Final phpBB 2 Security Error

Actually you need the sid when the user does not accept cookies. Check the session.php to see in which case, and how use it (check append_sid function).
Back to top
aswegeegew
Board Member



Joined: 15 Sep 2009

Posts: 3



PostPosted: Tue Sep 15, 2009 10:22 pm 
Post subject: Re: The Final phpBB 2 Security Error

---
Back to top
Ptirhiik
Board Member



Joined: 19 Nov 2008

Posts: 114


flag
PostPosted: Wed Sep 16, 2009 7:55 pm 
Post subject: Re: The Final phpBB 2 Security Error

I think the best way to proceed is to make the sid changing at each hit of the modcp page (or admin page): this way, even if someone try to hijack it, it will fall onto a no longer valid one. I'm not really fond of reading a file without having validated it against what is expected, even to make it get directly to the user, or generating a redirection to an url not sanatized. Both are opening the user to XSS-type of attack icon_wink.gif
Back to top
aswegeegew
Board Member



Joined: 15 Sep 2009

Posts: 3



PostPosted: Wed Sep 16, 2009 10:49 pm 
Post subject: Re: The Final phpBB 2 Security Error

---
Back to top
Sylver Cheetah 53
Board Member



Joined: 17 Dec 2008

Posts: 426
Location: Milky Way


flag
PostPosted: Wed Sep 30, 2009 11:16 am 
Post subject: Re: The Final phpBB 2 Security Error

I don't understand one thing. Maybe I am silly, but this is what I think:
So. We have a bug wich let people steal SID. Then we got a fix wich makes SID turn into p_SID when accesing the moderator or admin panel. So what this does is to not let the intruder acces them, right? But he could still delete some posts or something... without the admin panel. And the most important: He could acces the personal profile page, right? So wouldn't he be able from there to just change the password and then simply access admin panel?

I am just an amateur, but I woulr really like to better understand this issue. icon_smile.gif

_________________
Image link
My Forum || My Blog

phpBB2 forever! icon_smile.gif
Back to top
hsudhof
Board Member



Joined: 01 Oct 2009

Posts: 1



PostPosted: Thu Oct 01, 2009 7:51 pm 
Post subject: Re: The Final phpBB 2 Security Error

Tranquility wrote:


Anyway, upon reading this thread, I saw that phpBB group had released a "fix", a half assed fix that could be called silly at best. As stated above their fix doesn't even completely secure you from the suggested attack.

This is incredibly easy to patch by yourself, and in a far more adequate way.



It should be noted that no fix was ever released, as the architecture of phpBB2 doesn't allow any easy way to fix it. Calling the workaround implemented in the 2.0 svn "silly" is a bit like pot calling the kettle black. Your proposed fix as a few flaws: it won't do anything about images, which are the actual problem. Even worse, it won't work in many browsers - not sending a referrer on meta refresh is a firefox/IE thing.

@Sylver Cheetah 53 The svn workaround only protects the areas that have the SID appended even if cookies are enabled. These areas are the MCP and the ACP. While the SID is in the url on login, it is not trivial for an attacker to find out which sid belongs to a privileged user - acp or mcp referrers were a dead giveaway. This is why the SID is no longer in the url for those pages. The p_sid is under no circumstances enough to hijack a session and disables hotlinking if in the url. It's no solution, it is an early draft of a workaround.

@Ornette : phpBB3 is vastly different, as it has strong safeguards against CSRF built in. You won't find an action in phpBB3 where you can do anything with just a sid.
Back to top
Mrs Moo Moo
Board Member



Joined: 09 Mar 2009

Posts: 21



PostPosted: Fri Oct 02, 2009 5:00 am 
Post subject: Re: The Final phpBB 2 Security Error

Sylver Cheetah 53 wrote:
And the most important: He could acces the personal profile page, right?

But he couldn't change the password, because you need to enter your current password to be able to change it.

Probably the best way to avoid the vulnerability is to not have anything external from the site - only upload avatars, rather than linking them remotely, and make a rule to only allow images to be uploaded, rather than using the [img][/img] BBCode.
And avoiding proxies is also a big one - if a member didn't have cookies, and accessed a page with a remotely linked avatar or image (which a hacker was tracking), he could easily find the user's SID and use his account.
Back to top
Acaria
Board Member



Joined: 20 Feb 2009

Posts: 238



PostPosted: Fri Aug 06, 2010 1:49 am 
Post subject: Re: The Final phpBB 2 Security Error

Just wondering if a fix for this has been found yet?

A friend of mine has a board that became vulnerable to this. One of the Mods locked a topic, user hijacked his sid, and had fun in the forums. Luckily there was a db backup from just a few hours before, so not much harm was done in the end.

I disabled the [img][/img] tags by only allowing the posting of images hosted on the site (attachments) as a temporary fix.

Is there any way to do a check before the page is loaded to see if the src in an [img] tag is going to load an actual image? I'm thinking that another level of authorization could be added to the post submission that will check if [img] tags exist and, if they do, see if they're actual images. If they're scripts, web pages, blank pages, or really anything besides an actual image just deny the posting.

But I don't know if that's possible.
Back to top
Acaria
Board Member



Joined: 20 Feb 2009

Posts: 238



PostPosted: Mon Aug 09, 2010 7:17 am 
Post subject: Re: The Final phpBB 2 Security Error

I've been working on this and it's not coming along as easily as I thought it would. I've been trying to develop something that will validate that the url between [img] tags refers to only an image, but I'm not having much luck. I think I need to have it actually download the info from the url to test it, but that could open up a hole for security exploits. I need help. icon_sad.gif
Back to top
Dog Cow
Board Member



Joined: 18 Nov 2008

Posts: 378


flag
PostPosted: Mon Aug 09, 2010 6:10 pm 
Post subject: Re: The Final phpBB 2 Security Error

Acaria wrote:
Just wondering if a fix for this has been found yet?
Read the first post again. The fix is provided in phpBB 2.0.24, which was never released.
_________________
Moof!
Lincoln's Tomb, Oak Ridge Cemetery, Springfield IL Mac 512K Blog Mac GUI
Back to top
Acaria
Board Member



Joined: 20 Feb 2009

Posts: 238



PostPosted: Mon Aug 09, 2010 8:07 pm 
Post subject: Re: The Final phpBB 2 Security Error

*facepalm*

Thank you DogCow. I'll add these changes immediately! icon_smile.gif
Back to top
ABDev
Board Member



Joined: 01 Jun 2009

Posts: 38


flag
PostPosted: Mon Aug 09, 2010 10:24 pm 
Post subject: Re: The Final phpBB 2 Security Error

Does someone have the information for the Img tag issues ? I'm searching on Google about that in order to see the impact, and fix it. But I find nothing.
Back to top
Acaria
Board Member



Joined: 20 Feb 2009

Posts: 238



PostPosted: Tue Aug 10, 2010 12:09 am 
Post subject: Re: The Final phpBB 2 Security Error

Do you mean the security flaw in it? Here's how it can work out unfixed:

Let's say you want to hack a board. You write a simple script to take the full URL in the browser of the attacked victim. You put it in the [img][/img] tags which loads the script to the page, allowing it to do it's intended effect. To do real damage, you post this in a thread you know will be locked. You know, some kind of random spam. When a Mod (or if they're lucky, and Admin) locks the thread, he is sent back to the thread displaying his current SID in the URL. This URL is sent to the hacker through his script, so he has the guy's SID.

With an SID, you can do anything that user could do so long as the session is still active. So when a Mod locks it, they take a ride on their SID and have full access to the ModCP. If an Admin locks it, they're in your board's control panel.

This happened to a friend of mine's board and it can be very destructive. Imagine the deletion of all posts on your board!
Back to top
Display posts from previous:   
Register or Login to Post    Index » phpBB2 Discussion  Previous TopicPrint TopicNext Topic
Page 11 of 14 All times are GMT
Goto page Previous  1, 2, 3 ... 10, 11, 12, 13, 14  Next
 
Jump to:  

Index • About • FAQ • Rules • Privacy • Search •  Register •  Login 
Not affiliated with or endorsed by the phpBB Group
Powered by phpBB2 © phpBB Group
Generated in 0.0298 seconds using 15 queries. (SQL 0.0034 Parse 0.0009 Other 0.0254)
phpBB Customizations by the phpBBDoctor.com
Template Design by DeLFlo and MomentsOfLight.com Moments of Light Logo