|
********************************************************************* * CODEBUG Labs * Advisory #8 * Title: Multiple vulnerabilities in Topic Calendar 1.0.1 for phpBB * Author: Alberto Trivero * English Version: Alberto Trivero * Product: Topic Calendar 1.0.1 * Type: Multiple Vulnerabilities * Web: http://www.codebug.org/ ********************************************************************* --) Software Page (www.phpbb.com/phpBB/viewtopic.php?t=150857) Topic Calendar is a quite widespread MOD for phpBB all version that will add a calendar to the board, using topics as event. The authorizations are managed at forums, groups and users level, as the standard phpBB auths. --) Full Path Disclosure If phpBB is running on a Microsoft IIS Server, it's possible to obtain the full path by sending simples requests like these: http://www.example.com/phpbb/calendar_scheduler.php%5C http://www.example.com/phpbb/calendar_scheduler.php?d=-1 Note that these requests doesn't works under the others webservers like Apache. --) Cross-Site Scripting (XSS) Let's look at code from calendar_scheduler.php at line 82: ... if ( isset($HTTP_POST_VARS['start']) || isset($HTTP_GET_VARS['start']) ) { $start = isset($HTTP_POST_VARS['start']) ? $HTTP_POST_VARS['start'] : $HTTP_GET_VARS['start']; } ... ?> and at line 375: ... $s_hidden_fields .= ''; ... ?> $start is a variable that can be controlled by a remote user, and, as we can see, there isn't any control on she, so anyone con inject some HTML code like: "> that will change the HTML line in: " /> executing the tag that show, in this case, the cookies. This is the complete URL: http://www.example.com/phpbb/calendar_scheduler.php?start=%22%3 E%3Cscript%3E alert(document.cookie)%3C/script%3E --) Patch To fix the XSS bug we can use the function intval() at line 85 of calendar_scheduler.php: ... if ( isset($HTTP_POST_VARS['start']) || isset($HTTP_GET_VARS['start']) ) { $start = isset($HTTP_POST_VARS['start']) ? $HTTP_POST_VARS['start'] : $HTTP_GET_VARS['start']; $start = intval($start) } ... ?> ********************************************************************* http://www.codebug.org/ *********************************************************************