Vulnerability in BBCode --ramp,guru!!

[hiddenagenda]

I'm not sure if Ramp or guru did this already but here goes:
Btw: even though the text states it's for phpbb 2.0.6 ,from 2.0.4 should also be altered....

We've been notified about a vulnerability in phpBB 2.0.6 (which also affects 2.0.4 and 2.0.5). The fix is noted below but please note the text that follows it.  

UPDATE: All packages have been updated to reflect this patch.  

A change was made to the way bbcode url matching is achieved around phpBB 2.0.4. This was done following complaints that our existing methods, as used in earlier releases of phpBB were too restrictive. Unfortunately the match went from too restrictive to too loose. This allows people to \"break out\" of the anchor href and insert arbitary markup, particularly event handling parameters. This can result in anything from \"nuisance\" posts to people exploiting cross-site issues to grab cookie data.  

Therefore this exploit is deemed serious ... we advise all our users to deploy the following fix as soon as possible. Updated 2.0.6 packages will be available shortly for new users.  

You will need to use any text editor, all operating systems come with some kind of suitable application, e.g. notepad/wordpad on Windows, ed/pico/vi/emacs on Linux/UNIX/*BSD, etc.  

Using your text editor open the file: includes/bbcode.php (the extension may of course differ if you've changed it).  

Find the following section of code (use your editors search facility or simply scroll through the file):  

Open includes/bbcode.php

FINd:

Code: [Select]

$bbcode_tpl['url4'] = str_replace('{URL}', 'http://\1', $bbcode_tpl['url']);

   $bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\5', $bbcode_tpl['url4']);

Replace all the above with

Code: [Select]

$bbcode_tpl['url4'] = str_replace('{URL}', 'http://\1', $bbcode_tpl['url']);

   $bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\3', $bbcode_tpl['url4']);

Find

Code: [Select]

// matches a [url]xxxx://www.phpbb.com[/url] code..

   $patterns[] = "#[url]([w]+?://.*?[^ "nrt<]*?)[/url]#is";

   $replacements[] = $bbcode_tpl['url1'];



   // [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).

   $patterns[] = "#[url]((www|ftp).([w-]+.)*?[w-]+.[a-z]{2,4}(:?[0-9]*?/[^ "nrt<]*)?)[/url]#is";

   $replacements[] = $bbcode_tpl['url2'];



   // [url=xxxx://www.phpbb.com]phpBB[/url] code..

   $patterns[] = "#[url=([w]+?://.*?[^ "nrt<]*?)](.*?)[/url]#is";

   $replacements[] = $bbcode_tpl['url3'];



   // [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).

   $patterns[] = "#[url=((www|ftp).([w-]+.)*?[w-]+.[a-z]{2,4}(:?[0-9]*?/[^ "nrt<]*)?)](.*?)[/url]#is";

   $replacements[] = $bbcode_tpl['url4'];

Replace with:

Code: [Select]

// matches a [url]xxxx://www.phpbb.com[/url] code..

   $patterns[] = "#[url]([w]+?://[^ "nrt<]*?)[/url]#is";

   $replacements[] = $bbcode_tpl['url1'];



   // [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).

   $patterns[] = "#[url]((www|ftp).[^ "nrt<]*?)[/url]#is";

   $replacements[] = $bbcode_tpl['url2'];



   // [url=xxxx://www.phpbb.com]phpBB[/url] code..

   $patterns[] = "#[url=([w]+?://[^ "nrt<]*?)](.*?)[/url]#is";

   $replacements[] = $bbcode_tpl['url3'];



   // [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).

   $patterns[] = "#[url=((www|ftp).[^ "nrt<]*?)](.*?)[/url]#is";

   $replacements[] = $bbcode_tpl['url4'];

Find

Code: [Select]

// matches an "xxxx://yyyy" URL at the start of a line, or after a space.

   // xxxx can only be alpha characters.

   // yyyy is anything up to the first space, newline, comma, double quote or <

   $ret = preg_replace("#(^|[n ])([w]+?://.*?[^ "nrt<]*)#is", "\1<a href="\2" target="_blank">\2</a>", $ret);



   // matches a "www|ftp.xxxx.yyyy[/zzzz]" kinda lazy URL thing

   // Must contain at least 2 dots. xxxx contains either alphanum, or "-"

   // zzzz is optional.. will contain everything up to the first space, newline,

   // comma, double quote or <.

   $ret = preg_replace("#(^|[n ])((www|ftp).[w-]+.[w-.~]+(?:/[^ "tnr<]*)?)#is", "\1<a href="http://\2" target="_blank">\2</a>", $ret);

Replace with:

Code: [Select]

//matches an "xxxx://yyyy" URL at the start of a line, or after a space.

   // xxxx can only be alpha characters.

   // yyyy is anything up to the first space, newline, comma, double quote or <

   $ret = preg_replace("#(^|[n ])([w]+?://[^ "nrt<]*)#is", "\1<a href="\2" target="_blank">\2</a>", $ret);



   // matches a "www|ftp.xxxx.yyyy[/zzzz]" kinda lazy URL thing

   // Must contain at least 2 dots. xxxx contains either alphanum, or "-"

   // zzzz is optional.. will contain everything up to the first space, newline,

   // comma, double quote or <.

   $ret = preg_replace("#(^|[n ])((www|ftp).[^ "tnr<]*)#is", "\1<a href="http://\2" target="_blank">\2</a>", $ret);                    

[hiddenagenda]

It's evident no one cares,or doesn't have the courtesy to reply
:@                    

[SHiZZ]

lol, I am sure they will look at it soon enuff                    

[hiddenagenda]

yea
I just posted that to get them to reply
lol