Users login

Create an account »


Users login

Home » Hacking News » Local scripting vulnerability in phpBB

Local scripting vulnerability in phpBB

by Nikola Strahija on November 25th, 2002 phpBB is a high powered, fully scalable, and highly customisable open-source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites.

There exists a problem with the filtering of content from user posts. It is
possible to configure phpBB2 to allow the use of certain html tags for text
formatting. These tags can contain further script code that can be executed
on the client side. Such scripts could be used to steal cookie information
amongst other things.

Proof of Concept:
Post a message to any of the forums in a phpBB2 bulletin board containing
the following text.

This piece of text could be
dangerous if you were to move your mouse over it!

This piece of text could be dangerous
if you were to click it!

This piece of text could be dangerous if you
were to click it!

Suggested fix:
Disable the ability to post messages containing html and force users to use
BBCode instead.

Tested on:
phpBB2 2.0.3
Apache 1.3.23
php 4.1.2
mySQL 11.16
RedHat Linux 7.3

Vendors response:
+ The solution is as stated ... disable HTML, BBCode should be more than
+ adaquate for many users needs (don't forget additional controls exist in
+ the form of Mods).

+ Will look @ backporting phpBB 2.2 code to this but
+ the parsers are quite different thus it may not be possible.

Pete Foster
Senior Consultant - Sec-Tec Ltd

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »