On Tue, Dec 27, 2005 at 11:19:36PM +0100, Thijs Kinkhorst wrote: > Hello Moritz, > > On Sat, December 24, 2005 16:02, Moritz Muehlenhoff wrote: > > The mentioned path disclosure is obviously not a problem, but does > > the described XSS issue have real-world security implications? > > Sorry for not getting back to you earlier, this is due to the holidays. > Hope you had a nice time. > > I have not yet tested the code, however, if it works, it's a real-world > xss problem. But, from a first look it seems to require 'Allow HTML' to be > turned on. This is turned off by default on Debian and we warn in every > possible flashy way about not turning this on unless your environment is > completly trusted. > > I'll try to confirm this soon, but if it's the case that this can only be > exploited with 'Allow HTML' on, I'm inclined not to fix it for sarge. We > will fix it for sid in that case of course.
I agree with Thijs' assassment here. A very similar issue came up before sarge was released, which I decided at that time (2.0.13(+1)-5, corresponding to upstream's 2.0.14 security updates) to solve by adding the above-mentioned flashy (though non-shockwave) warning -- phpBB doesn't have adequate support for filtering HTML into something XSS-safe, and never has, and it does have a reasonable adequate alternative ("bbcode"), so the feature is labeled as 'for internal, trusted-users-only user', and defaults to off. The actual text of the warning is: | Warning: enabling this will always expose your users to cross-site | scripting, use only in fully trusted environments Security team, if you wish, you can add CVE-2005-4357 to the list of non-vulns, or wontfix, security issues, whatever is most appropriate. Thanks, --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] http://jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]