Bug#405980: phpbb2: CVE-2006-6839 to -6841: vulnerabilities fixed in phpbb 2.0.22

2007-01-13 Thread Thijs Kinkhorst 
Hi,

Here's the relevant patches, isolated from the upstream release.

On Sun, 2007-01-07 at 20:00 +0100, Thijs Kinkhorst wrote:
 Hi,
 
 Thank you. I'm aware of the new release, but need to backport the
 changes given that we're in a freeze.
 
  CVE-2006-6841:
  Certain forms in phpBB before 2.0.22 lack session checks
 
 This is Cross Site Request Forgery.

Indeed counter-CSRF, attached as sid.diff.

  CVE-2006-6840:
  Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
  and remote attack vectors related to a negative start parameter.
 
 This does not seem to warrant an update in its own: everything about it
 is unkown.

Still unknown how it can be exploited, but diff is attached and seems
quite harmless. Fix just in case? start.diff

  CVE-2006-6839:
  Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
  and remote attack vectors related to criteria for 'bad' redirection
  targets.
 
 This is very vague again. Summarizing all three I do not see a 'grave'
 issue between them, but will see what the patches look like and whether
 they're acceptable for etch at this point.

Attached as redir.diff, also seems quite harmless to include.

In #402140:
 1) The application allows users to send messages via HTTP requests
 without performing any validity checks to verify the request. This can
 be exploited to send 
 messages to arbitrary users by e.g. tricking a target user into
 visiting a malicious website.

I'm quite sure that this is a duplicate of the CSRF above.

 2) Input passed to the form field Message body in privmsg.php is not
 properly sanitised before it is returned to the user when sending
 messages to a 
 non-existent user. This can be exploited to execute arbitrary HTML and
 script code in a user's browser session in context of an affected
 site.

Attached as privmsg.diff.

I think this is it. Jeroen: opinions on what to upload?


Thijs
diff -Nur phpBB2.0.21/privmsg.php phpBB2.0.22/privmsg.php
--- phpBB2.0.21/privmsg.php	2006-06-09 16:29:43.0 +0200
+++ phpBB2.0.22/privmsg.php	2006-12-19 18:29:16.0 +0100
@@ -1376,7 +1385,7 @@
 
 		$privmsg_subject = ( isset($HTTP_POST_VARS['subject']) ) ? trim(htmlspecialchars(stripslashes($HTTP_POST_VARS['subject']))) : '';
 		$privmsg_message = ( isset($HTTP_POST_VARS['message']) ) ? trim($HTTP_POST_VARS['message']) : '';
-		$privmsg_message = preg_replace('#textarea#si', 'lt;textareagt;', $privmsg_message);
+		// $privmsg_message = preg_replace('#textarea#si', 'lt;textareagt;', $privmsg_message);
 		if ( !$preview )
 		{
 			$privmsg_message = stripslashes($privmsg_message);
@@ -1480,7 +1489,7 @@
 			}
 			
 			$privmsg_message = str_replace('br /', \n, $privmsg_message);
-			$privmsg_message = preg_replace('#/textarea#si', 'lt;/textareagt;', $privmsg_message);
+			// $privmsg_message = preg_replace('#/textarea#si', 'lt;/textareagt;', $privmsg_message);
 
 			$user_sig = ( $board_config['allow_sig'] ) ? (($privmsg['privmsgs_type'] == PRIVMSGS_NEW_MAIL) ? $user_sig : $privmsg['user_sig']) : '';
 
@@ -1523,7 +1532,7 @@
 
 $privmsg_message = preg_replace(/\:(([a-z0-9]:)?)$privmsg_bbcode_uid/si, '', $privmsg_message);
 $privmsg_message = str_replace('br /', \n, $privmsg_message);
-$privmsg_message = preg_replace('#/textarea#si', 'lt;/textareagt;', $privmsg_message);
+// $privmsg_message = preg_replace('#/textarea#si', 'lt;/textareagt;', $privmsg_message);
 $privmsg_message = preg_replace($orig_word, $replacement_word, $privmsg_message);
 
 $msg_date =  create_date($board_config['default_dateformat'], $privmsg['privmsgs_date'], $board_config['board_timezone']); 
@@ -1650,6 +1659,7 @@
 	//
 	if ($error)
 	{
+		$privmsg_message = htmlspecialchars($privmsg_message);
 		$template-set_filenames(array(
 			'reg_header' = 'error_body.tpl')
 		);
diff -Nur phpBB2.0.21/includes/functions.php phpBB2.0.22/includes/functions.php
--- phpBB2.0.21/includes/functions.php	2006-06-09 16:29:41.0 +0200
+++ phpBB2.0.22/includes/functions.php	2006-12-19 18:29:15.0 +0100
@@ -917,7 +917,7 @@
 		$db-sql_close();
 	}
 
-	if (strstr(urldecode($url), \n) || strstr(urldecode($url), \r))
+	if (strstr(urldecode($url), \n) || strstr(urldecode($url), \r) || strstr(urldecode($url), ';url'))
 	{
 		message_die(GENERAL_ERROR, 'Tried to redirect to potentially insecure url.');
 	}
diff -Nur phpBB2.0.21/login.php phpBB2.0.22/login.php
--- phpBB2.0.21/login.php	2006-06-09 16:29:42.0 +0200
+++ phpBB2.0.22/login.php	2006-12-19 18:29:16.0 +0100
@@ -123,7 +123,7 @@
 $redirect = ( !empty($HTTP_POST_VARS['redirect']) ) ? str_replace('amp;', '', htmlspecialchars($HTTP_POST_VARS['redirect'])) : '';
 $redirect = str_replace('?', '', $redirect);
 
-if (strstr(urldecode($redirect), \n) || strstr(urldecode($redirect), \r))
+if (strstr(urldecode($redirect), \n) || strstr(urldecode($redirect), \r) || strstr(urldecode($redirect), ';url'))
 {
 	message_die(GENERAL_ERROR, 'Tried to redirect to

Bug#405980: phpbb2: CVE-2006-6839 to -6841: vulnerabilities fixed in phpbb 2.0.22

2007-01-13 Thread Jeroen van Wolffelaar 
On Sat, Jan 13, 2007 at 11:07:48PM +0100, Thijs Kinkhorst wrote:
 I think this is it. Jeroen: opinions on what to upload?

I'd include all, although I'm not convinced all are really exploitable
the fixes are harmless and with webapps like this it's hard to tell for
sure something is *not* exploitable -- so many potential entry points to
code.

--Jeroen

-- 
Jeroen van Wolffelaar
[EMAIL PROTECTED] (also for Jabber  MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#405980: phpbb2: CVE-2006-6839 to -6841: vulnerabilities fixed in phpbb 2.0.22

2007-01-07 Thread Stefan Fritsch 
Package: phpbb2
Severity: grave
Tags: security
Justification: user security hole

phpbb2 2.0.22 fixes some more security issues:

CVE-2006-6841:
Certain forms in phpBB before 2.0.22 lack session checks

CVE-2006-6840:
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
and remote attack vectors related to a negative start parameter.

CVE-2006-6839:
Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
and remote attack vectors related to criteria for 'bad' redirection
targets.

See
http://www.phpbb.com/phpBB/viewtopic.php?f=14t=489624

Please mention the CVE ids in the changelog.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]

Bug#405980: phpbb2: CVE-2006-6839 to -6841: vulnerabilities fixed in phpbb 2.0.22

2007-01-07 Thread Thijs Kinkhorst 
Hi,

Thank you. I'm aware of the new release, but need to backport the
changes given that we're in a freeze.

 CVE-2006-6841:
 Certain forms in phpBB before 2.0.22 lack session checks

This is Cross Site Request Forgery.

 CVE-2006-6840:
 Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
 and remote attack vectors related to a negative start parameter.

This does not seem to warrant an update in its own: everything about it
is unkown.

 CVE-2006-6839:
 Unspecified vulnerability in phpBB before 2.0.22 has unknown impact
 and remote attack vectors related to criteria for 'bad' redirection
 targets.

This is very vague again. Summarizing all three I do not see a 'grave'
issue between them, but will see what the patches look like and whether
they're acceptable for etch at this point.

thanks,
Thijs


signature.asc
Description: This is a digitally signed message part