Author Topic: Vulnerability in BBCode --ramp,guru!!  (Read 2133 times)

Offline hiddenagenda

  • Jonin
  • ***
  • Posts: 791
  • Chakra -4
  • Referrals: 0
    • View Profile
Vulnerability in BBCode --ramp,guru!!
« on: October 09, 2003, 09:12:30 AM »
I'm not sure if Ramp or guru did this already but here goes:
Btw: even though the text states it's for phpbb 2.0.6 ,from 2.0.4 should also be altered....

Quote
We've been notified about a vulnerability in phpBB 2.0.6 (which also affects 2.0.4 and 2.0.5). The fix is noted below but please note the text that follows it.  

UPDATE: All packages have been updated to reflect this patch.  

A change was made to the way bbcode url matching is achieved around phpBB 2.0.4. This was done following complaints that our existing methods, as used in earlier releases of phpBB were too restrictive. Unfortunately the match went from too restrictive to too loose. This allows people to \"break out\" of the anchor href and insert arbitary markup, particularly event handling parameters. This can result in anything from \"nuisance\" posts to people exploiting cross-site issues to grab cookie data.  

Therefore this exploit is deemed serious ... we advise all our users to deploy the following fix as soon as possible. Updated 2.0.6 packages will be available shortly for new users.  

You will need to use any text editor, all operating systems come with some kind of suitable application, e.g. notepad/wordpad on Windows, ed/pico/vi/emacs on Linux/UNIX/*BSD, etc.  

Using your text editor open the file: includes/bbcode.php (the extension may of course differ if you've changed it).  

Find the following section of code (use your editors search facility or simply scroll through the file):  

Open includes/bbcode.php


FINd:

Code: [Select]
$bbcode_tpl['url4'] = str_replace('{URL}', 'http://\1', $bbcode_tpl['url']);

   $bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\5', $bbcode_tpl['url4']);


Replace all the above with
Code: [Select]
$bbcode_tpl['url4'] = str_replace('{URL}', 'http://\1', $bbcode_tpl['url']);

   $bbcode_tpl['url4'] = str_replace('{DESCRIPTION}', '\3', $bbcode_tpl['url4']);


Find
Code: [Select]
// matches a [url]xxxx://www.phpbb.com[/url] code..

   $patterns[] = "#[url]([w]+?://.*?[^ "nrt<]*?)[/url]#is";

   $replacements[] = $bbcode_tpl['url1'];



   // [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).

   $patterns[] = "#[url]((www|ftp).([w-]+.)*?[w-]+.[a-z]{2,4}(:?[0-9]*?/[^ "nrt<]*)?)[/url]#is";

   $replacements[] = $bbcode_tpl['url2'];



   // [url=xxxx://www.phpbb.com]phpBB[/url] code..

   $patterns[] = "#[url=([w]+?://.*?[^ "nrt<]*?)](.*?)[/url]#is";

   $replacements[] = $bbcode_tpl['url3'];



   // [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).

   $patterns[] = "#[url=((www|ftp).([w-]+.)*?[w-]+.[a-z]{2,4}(:?[0-9]*?/[^ "nrt<]*)?)](.*?)[/url]#is";

   $replacements[] = $bbcode_tpl['url4'];


Replace with:

Code: [Select]
// matches a [url]xxxx://www.phpbb.com[/url] code..

   $patterns[] = "#[url]([w]+?://[^ "nrt<]*?)[/url]#is";

   $replacements[] = $bbcode_tpl['url1'];



   // [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).

   $patterns[] = "#[url]((www|ftp).[^ "nrt<]*?)[/url]#is";

   $replacements[] = $bbcode_tpl['url2'];



   // [url=xxxx://www.phpbb.com]phpBB[/url] code..

   $patterns[] = "#[url=([w]+?://[^ "nrt<]*?)](.*?)[/url]#is";

   $replacements[] = $bbcode_tpl['url3'];



   // [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).

   $patterns[] = "#[url=((www|ftp).[^ "nrt<]*?)](.*?)[/url]#is";

   $replacements[] = $bbcode_tpl['url4'];


Find
Code: [Select]
// matches an "xxxx://yyyy" URL at the start of a line, or after a space.

   // xxxx can only be alpha characters.

   // yyyy is anything up to the first space, newline, comma, double quote or <

   $ret = preg_replace("#(^|[n ])([w]+?://.*?[^ "nrt<]*)#is", "\1<a href="\2" target="_blank">\2</a>", $ret);



   // matches a "www|ftp.xxxx.yyyy[/zzzz]" kinda lazy URL thing

   // Must contain at least 2 dots. xxxx contains either alphanum, or "-"

   // zzzz is optional.. will contain everything up to the first space, newline,

   // comma, double quote or <.

   $ret = preg_replace("#(^|[n ])((www|ftp).[w-]+.[w-.~]+(?:/[^ "tnr<]*)?)#is", "\1<a href="http://\2" target="_blank">\2</a>", $ret);


Replace with:

Code: [Select]
//matches an "xxxx://yyyy" URL at the start of a line, or after a space.

   // xxxx can only be alpha characters.

   // yyyy is anything up to the first space, newline, comma, double quote or <

   $ret = preg_replace("#(^|[n ])([w]+?://[^ "nrt<]*)#is", "\1<a href="\2" target="_blank">\2</a>", $ret);



   // matches a "www|ftp.xxxx.yyyy[/zzzz]" kinda lazy URL thing

   // Must contain at least 2 dots. xxxx contains either alphanum, or "-"

   // zzzz is optional.. will contain everything up to the first space, newline,

   // comma, double quote or <.

   $ret = preg_replace("#(^|[n ])((www|ftp).[^ "tnr<]*)#is", "\1<a href="http://\2" target="_blank">\2</a>", $ret);
                   
My Xbox has been ressurected!

Carigamers

Vulnerability in BBCode --ramp,guru!!
« on: October 09, 2003, 09:12:30 AM »

Offline hiddenagenda

  • Jonin
  • ***
  • Posts: 791
  • Chakra -4
  • Referrals: 0
    • View Profile
Vulnerability in BBCode --ramp,guru!!
« Reply #1 on: October 11, 2003, 01:50:59 PM »
It's evident no one cares,or doesn't have the courtesy to reply
:@                    
My Xbox has been ressurected!

Offline SHiZZ

  • Ronin
  • Ancient
  • Sannin
  • *****
  • Posts: 2196
  • Chakra 11
  • Referrals: 0
    • View Profile
    • Art and stories
  • CPU: Intel
  • GPU: 8800gt
  • RAM: 2gigs
Vulnerability in BBCode --ramp,guru!!
« Reply #2 on: October 11, 2003, 01:55:18 PM »
lol, I am sure they will look at it soon enuff                    

Offline hiddenagenda

  • Jonin
  • ***
  • Posts: 791
  • Chakra -4
  • Referrals: 0
    • View Profile
Vulnerability in BBCode --ramp,guru!!
« Reply #3 on: October 12, 2003, 02:03:14 PM »
yea :P
I just posted that to get them to reply
lol                    
My Xbox has been ressurected!

Carigamers

Vulnerability in BBCode --ramp,guru!!
« Reply #3 on: October 12, 2003, 02:03:14 PM »

 


* ShoutBox

Refresh History
  • Crimson609: yea everything cool how are you?
    August 10, 2022, 07:26:15 AM
  • Pain_Killer: Good day, what's going on with you guys? Is everything Ok?
    February 21, 2021, 05:30:10 PM
  • Crimson609: BOOM covid-19
    August 15, 2020, 01:07:30 PM
  • Shinsoo: bwda 2020 shoutboxing. omg we are in the future and in the past at the same time!
    March 03, 2020, 06:42:47 AM
  • TriniXjin: Watch Black Clover Everyone!
    February 01, 2020, 06:30:00 PM
  • Crimson609: lol
    February 01, 2020, 05:05:53 PM
  • Skitz: So fellas how we go include listing for all dem parts for pc on we profile but doh have any place for motherboard?
    January 24, 2020, 09:11:33 PM
  • Crimson609: :ph34r:
    January 20, 2019, 09:23:28 PM
  • Crimson609: Big up ya whole slef
    January 20, 2019, 09:23:17 PM
  • protomanex: Gyul like Link
    January 20, 2019, 09:23:14 PM
  • protomanex: Man like Kitana
    January 20, 2019, 09:22:39 PM
  • protomanex: Man like Chappy
    January 20, 2019, 09:21:53 PM
  • protomanex: Gyul Like Minato
    January 20, 2019, 09:21:48 PM
  • protomanex: Gyul like XJin
    January 20, 2019, 09:19:53 PM
  • protomanex: Shout out to man like Crimson
    January 20, 2019, 09:19:44 PM
  • Crimson609: shout out to gyal like Corbie Gonta
    January 20, 2019, 09:19:06 PM
  • cold_187: Why allur don't make a discord or something?
    December 03, 2018, 06:17:38 PM
  • Red Paradox: https://www.twitch.tv/flippay1985 everyday from 6:00pm
    May 29, 2018, 09:40:09 AM
  • Red Paradox: anyone play EA Sports UFC 3.. Looking for a challenge. PSN: Flippay1985 :)
    May 09, 2018, 11:00:52 PM
  • cold_187: @TriniXjin not really, I may have something they need (ssd/ram/mb etc.), hence why I also said "trade" ;)
    February 05, 2018, 10:22:14 AM

SimplePortal 2.3.3 © 2008-2010, SimplePortal