php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #34224 vBulletin 3.0.7 and PHPBB 2.0.17 BBCode [IMG] [/IMG ]: Tag Vulnerability
Submitted: 2005-08-23 22:24 UTC Modified: 2005-08-24 08:19 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: stopavto-work at yahoo dot com Assigned:
Status: Not a bug Package: Unknown/Other Function
PHP Version: 4.4.0 OS: any
Private report: No CVE-ID: None
View Developer Edit
 [2005-08-23 22:24 UTC] stopavto-work at yahoo dot com 
Description:
------------
vBulletin 3.0.7 and PHPBB 2.0.17 BBCode [IMG] [/IMG ]: Tag Vulnerability

vBulletin 3.0.7 and PHPBB 2.0.17 BBCode [IMG] [/IMG ]: Tag Vulnerability 

08/22/2005 

Saw this one on www.waraxe.us (Discovered by Easyex) and i was 
thinking if there are some more possibilities using the method 
described. The POC below is for phpBB. - 

make yourself a folder on your host 
rename the folder to signature.jpg 
this will trick bbcode that its an image file.

example http://sitewithmaliciouscode/signature.jpg 


inside that folder .. put this code .. 
and rename it to index.php file. 


Quote: 
<?php 
header("Location: http://hosttobeexploited/phpBB/login.php?logout=true"); 
exit; 
?> 


this will make every visitor getting logout when they view the thread that 
have image linked to this. 

This seems to be working on almost all the scripts using BBcode. 
Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the 
image link to the folder with the malicious code as the forum 
signature. What i was wondering is there anything more serious than 
logging out the users that can be done with this? The admin folders of 
ipb and phpbb need reauthentication. So nothing serious for them but 
anything more innovative that could be done? And any way to fix this? 

Regards, 

-- 
http://www.h4cky0u.org 
(In)Security at its best...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-23 22:42 UTC] derick@php.net 
This has totally nothing to do with the PHP language itself.
 [2005-08-23 23:58 UTC] stopavto-work at yahoo dot com 
You want to say that code:
<?php 
header("Location:
http://hosttobeexploited/phpBB/login.php?logout=true"); 
exit; 
?>
is not php???
And that if I use:
<img src="http://sitewithmaliciouscode/signature.jpg">
that will move to http://sitewithmaliciouscode/signature.jpg/index.php

Where "index.php" is that obove code it is not connected with php language?

Then may be you explain to me with what <?php ?> and index.php and <ims src=""> ate connected with?
Some words like "post method" can be helpful some how I think.
Thanks
 [2005-08-24 08:19 UTC] derick@php.net 
Sure, that's PHP - but that is a feature, not a bug. It's up to the applications to filter this out themselves.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Oct 29 20:00:01 2025 UTC