php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #34224 vBulletin 3.0.7 and PHPBB 2.0.17 BBCode [IMG] [/IMG ]: Tag Vulnerability
Submitted: 2005-08-23 22:24 UTC Modified: 2005-08-24 08:19 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: stopavto-work at yahoo dot com Assigned:
Status: Not a bug Package: Unknown/Other Function
PHP Version: 4.4.0 OS: any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: stopavto-work at yahoo dot com
New email:
PHP Version: OS:

 

 [2005-08-23 22:24 UTC] stopavto-work at yahoo dot com 
Description:
------------
vBulletin 3.0.7 and PHPBB 2.0.17 BBCode [IMG] [/IMG ]: Tag Vulnerability

vBulletin 3.0.7 and PHPBB 2.0.17 BBCode [IMG] [/IMG ]: Tag Vulnerability 

08/22/2005 

Saw this one on www.waraxe.us (Discovered by Easyex) and i was 
thinking if there are some more possibilities using the method 
described. The POC below is for phpBB. - 

make yourself a folder on your host 
rename the folder to signature.jpg 
this will trick bbcode that its an image file.

example http://sitewithmaliciouscode/signature.jpg 


inside that folder .. put this code .. 
and rename it to index.php file. 


Quote: 
<?php 
header("Location: http://hosttobeexploited/phpBB/login.php?logout=true"); 
exit; 
?> 


this will make every visitor getting logout when they view the thread that 
have image linked to this. 

This seems to be working on almost all the scripts using BBcode. 
Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the 
image link to the folder with the malicious code as the forum 
signature. What i was wondering is there anything more serious than 
logging out the users that can be done with this? The admin folders of 
ipb and phpbb need reauthentication. So nothing serious for them but 
anything more innovative that could be done? And any way to fix this? 

Regards, 

-- 
http://www.h4cky0u.org 
(In)Security at its best...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-08-23 22:42 UTC] derick@php.net 
This has totally nothing to do with the PHP language itself.
 [2005-08-23 23:58 UTC] stopavto-work at yahoo dot com 
You want to say that code:
<?php 
header("Location:
http://hosttobeexploited/phpBB/login.php?logout=true"); 
exit; 
?>
is not php???
And that if I use:
<img src="http://sitewithmaliciouscode/signature.jpg">
that will move to http://sitewithmaliciouscode/signature.jpg/index.php

Where "index.php" is that obove code it is not connected with php language?

Then may be you explain to me with what <?php ?> and index.php and <ims src=""> ate connected with?
Some words like "post method" can be helpful some how I think.
Thanks
 [2005-08-24 08:19 UTC] derick@php.net 
Sure, that's PHP - but that is a feature, not a bug. It's up to the applications to filter this out themselves.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat May 18 17:01:33 2024 UTC