[Full-disclosure] Unpatched phpBB XSS [in 2.0.16]
Dominik Birk
mail at code-foundation.de
Wed Jul 6 14:11:12 BST 2005
> PoC is included with the description. I would advise administrators to
> disable the rendering of BBCode for the time being, this mitigates the
> issue.
According to this Exploit there is still no official answer from PHPBB.
Because of that, I just want to post my personal little version of
bugfixing this problem, with which you can obviate attacks on Users who
use IE, but you will loose the functionality of [url]-Tags.
#
#-----[ OPEN ]------------------------------------------
#
/templates/$template/bbcode.tpl
#
#-----[ FIND ]------------------------------------------
#
<!-- BEGIN url --><a href="{URL}" target="_blank"
class="postlink">{DESCRIPTION}</a><!-- END url -->
#
#-----[ SUBSTITUTE ]------------------------------------
#
//<!-- BEGIN url --><a href="{URL}" target="_blank"
class="postlink">{DESCRIPTION}</a><!-- END url -->
<!-- BEGIN url -->Function currently disabled<!-- END url -->
#
#-----[ SAVE FILE ]------------------------------------
#
EOF
I propose to call this steps off after PHPBB has released an official
bugfix.
HTH
Dominik Birk
Full-Disclosure is hosted and sponsored by Secunia.