New phpBB avatar exploit (possibly other web boards too)

[Vin DSL]

There seems to be a *new* XSS-like exploit involving HTML code masqerading as avatars being uploaded to phpBB web boards (all versions -- maybe other web boards too), with visitors running Internet Explorer (all versions) as the intended victims. It could be used to steal cookie info and send it to a remote location.

http://seclists.org/lists/fulldisclo.../Oct/0494.html

[JPC-Greg]

Thanks Vin. This is worthy of a news and update post.

[Vin DSL]

Yeah, since it involves the way Internet Explorer automatically renders malformed graphic files to HTML, this could be a big one, affecting any and all proggies that allow users to upload files, not just phpBB. We're talking webmail systems, photo album systems, CMS systems, or really any web app that allows the user to upload an image of some type. The impact is enormous!

[Ron]

I read the info at the link provided... interesting.

However, I don't see a word about it over at phpBB as claimed at that link. Even so, I've turned off avatars at my forum temproarily.

From what I gather, the danger would be one member uploading a malicious "avatar", then as other members read the forum and view the malicious avatar, the avatar script could be used to disclose the innocent member's cookie. This might enable access to the board as another member's ID... not a pleasant thought, but since admin access requires secondary authentication, it might prevent nastiness.

I don't know if other maliciousness other than cookies stealing, would be possible with this exploit.

I also have a coppermine gallery... I run it in fully moderated fashion, so only members can upload and all files uploaded must be approved and only approved pics can be seen by anyone.

I suppose if a file were uploaded that was smaller than my thumbnail size when I went to approve the file it might be able to grab my info, (assuming that coppermine doesn't do any file checking, and actually starts to allow .gifs) but I wouldn't be approving a broken file, so the rest of the users are safe.

I hope.


Thanks for pointing this out.... waiting for confirmation and a patch.

[Ron]

I still haven't seen anything about this on phpbb.com ... is this possibly a hoax?

[Vin DSL]

I still haven't seen anything about this on phpbb.com ... is this possibly a hoax?

I dunno. Do you trust these guys to be able to spot a hoax?

http://secunia.com/advisories/17295/

And, another thing... when you think about it... if this vuln only affects MSIE, is it a phpBB problem, or a Microsoft problem?

EDIT: Here's another link for you...

Solution:
The vendor has acknowledged this vulnerability and will be releasing a patch in the next release; version 2.0.18.

SOURCE: http://www.securityfocus.com/bid/15170/solution

Finally, the obligatory hacker advisory from Zone-H.org:

http://www.zone-h.org/en/advisories/read/id=8304/

[Galen]

Just thought I'd mention that phpBB 2.0.18 was released yesterday and fixes this exploit.

http://www.phpbb.com/downloads.php

It's also worth mentioning that if you upgrade via the Code Changes Tutorial (for heavily modded boards), you might wanna let EasyMOD handle this one. It's a major update including many fixes to bugs and security problems found during a recent code audit of phpBB.

Good times

[Vin DSL]

Yep! And, there's a new advisory involving phpBB <= 2.0.17 and PHP 5...

http://secunia.com/advisories/17366/

[Ron]

With 44 changes in this deployment, I'll be waiting for a while before installing this version.

This has already paid off, as phpBB had inadvertantly left two files out of the distribution package that I might have used.


I'll be a little more patient and leave my avatars turned of so that I can see what bugs may be caused by these changes.