From: stopavto-work at yahoo dot com Operating system: any PHP version: 4.4.0 PHP Bug Type: Unknown/Other Function Bug description: vBulletin 3.0.7 and PHPBB 2.0.17 BBCode [IMG] [/IMG ]: Tag Vulnerability
Description: ------------ vBulletin 3.0.7 and PHPBB 2.0.17 BBCode [IMG] [/IMG ]: Tag Vulnerability vBulletin 3.0.7 and PHPBB 2.0.17 BBCode [IMG] [/IMG ]: Tag Vulnerability 08/22/2005 Saw this one on www.waraxe.us (Discovered by Easyex) and i was thinking if there are some more possibilities using the method described. The POC below is for phpBB. - make yourself a folder on your host rename the folder to signature.jpg this will trick bbcode that its an image file. example http://sitewithmaliciouscode/signature.jpg inside that folder .. put this code .. and rename it to index.php file. Quote: <?php header("Location: http://hosttobeexploited/phpBB/login.php?logout=true";); exit; ?> this will make every visitor getting logout when they view the thread that have image linked to this. This seems to be working on almost all the scripts using BBcode. Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the image link to the folder with the malicious code as the forum signature. What i was wondering is there anything more serious than logging out the users that can be done with this? The admin folders of ipb and phpbb need reauthentication. So nothing serious for them but anything more innovative that could be done? And any way to fix this? Regards, -- http://www.h4cky0u.org (In)Security at its best... -- Edit bug report at http://bugs.php.net/?id=34224&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=34224&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=34224&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=34224&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=34224&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=34224&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=34224&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=34224&r=needscript Try newer version: http://bugs.php.net/fix.php?id=34224&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=34224&r=support Expected behavior: http://bugs.php.net/fix.php?id=34224&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=34224&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=34224&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=34224&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=34224&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=34224&r=dst IIS Stability: http://bugs.php.net/fix.php?id=34224&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=34224&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=34224&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=34224&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=34224&r=mysqlcfg
