| Autor |
Nachricht |
cback
phpBB2.de User
[KB] Manager
Anmeldungsdatum: 16.01.2004
Beiträge: 3321
Wohnort: Saarland
|
 Verfasst am:
Mi 06 Jul, 2005 16:26 |
   |
Temporary fix for security issue in URL BBcode (phpBB 2.0.16)
Actually a new bug into the URL BBcode system of phpBB 2.0.16 was found. The phpBB Group has no fix released at the moment so I give you here a temporary fix for this issue till the official update for phpBB is available.
Please safe your original bbcode.php before doing this change, that you can easily make the offical changes from the phpBB Group if they provide the offical fix for this issue. (Because this is not the offical patch, but a solution for that problem!)
Here the Temporary Code Changes for phpBB 2.0.16 and Plus 1.5.x:
| PHP: |
<?php #
#-----[ OPEN ]------------------------------------------
#
includes/bbcode.php
#
#-----[ FIND ]------------------------------------------
#
// matches a xxxx://www.phpbb.com code..
$patterns[] = "#\[url\]([\w]+?://[^ \"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url1'];
// www.phpbb.com code.. (no xxxx:// prefix).
$patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url2'];
// phpBB code..
$patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url3'];
// code.. (no xxxx:// prefix).
$patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url4'];
#
#-----[ REPLACE WITH ]------------------------------------------
#
// matches a xxxx://www.phpbb.com code..
$patterns[] = "#\[url\]([\w]+?://[^ '`\"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url1'];
// www.phpbb.com code.. (no xxxx:// prefix).
$patterns[] = "#\[url\]((www|ftp)\.(?![^ '`\"\n\r\t<]*?\[url)[^ \"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url2'];
// phpBB code..
$patterns[] = "#\[url=([\w]+?://[^ '`\"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url3'];
// code.. (no xxxx:// prefix).
$patterns[] = "#\[url=((www|ftp)\.[^ '`\"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url4'];
#
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------
#
# EoM
|
Enjoy. 
Update (08.07.2005):
With a combination of a Fix Method from the Users Alcaeus, Christian S. and my Code we have here now a new Solution for this issue which works better.
Important (20.07.2005):
phpBB 2.0.17 is now released and includes now an official FIX! So please don't use our version anymore and Update as fast as possible to the newest phpBB 2.0.17 Version: Click here |
_________________
[ Forensoftware | CBACK Software | SYNTACTION ]
Support only in Forum! - Support nur im Forum!
Zuletzt bearbeitet von cback am Mi 20 Jul, 2005 22:30, insgesamt 8-mal bearbeitet |
|
     |
|
Google
|
| Verfasst am:
|
|
|
|
|
TomLeo
phpBB2.de User
Anmeldungsdatum: 01.06.2005
Beiträge: 45
|
| Verfasst am:
Mi 06 Jul, 2005 16:35 |
 |
Aha, Danke!!
Wenn Du das sagst!! Ich vertraue Dir da blind ...  |
|
|
 |
|
cback
phpBB2.de User
[KB] Manager
Anmeldungsdatum: 16.01.2004
Beiträge: 3321
Wohnort: Saarland
|
| Verfasst am:
Mi 06 Jul, 2005 16:36 |
|
Vertrauen ist gut, Kontrolle ist besser!
Aber in diesem Fall hab ich die Methoden des Einschleusens in Plus und phpBB 2.0.16 damit erfolgreich verhindern können also ein wesentlicher Unterschied erwarte ich auch nicht beim offiziellen Fix
Mal sehen was die basteln  Aber jedenfalls sind die Boards bis dahin schon mal sicher. |
_________________
[ Forensoftware | CBACK Software | SYNTACTION ]
Support only in Forum! - Support nur im Forum! |
|
|
|
alsakrah
phpBB2.de User
Anmeldungsdatum: 02.12.2003
Beiträge: 125
Wohnort: JUBAIL
|
| Verfasst am:
Mi 06 Jul, 2005 18:08 |
|
|
  |
|
alcaeus
phpBB2.de User
Anmeldungsdatum: 09.04.2005
Beiträge: 51
Wohnort: Munich, Germany but Italian native
|
| Verfasst am:
Mi 06 Jul, 2005 20:01 |
|
Actually, it can be done a lot easier:
This is the original code:
| PHP: |
<?php $patterns[] = "#\[url\]([\w]+?://[^ \"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url1'];
// www.phpbb.com code.. (no xxxx:// prefix).
$patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url2'];
// phpBB code..
$patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url3'];
// phpBB code.. (no xxxx:// prefix).
$patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
|
And this the new one:
| PHP: |
<?php $patterns[] = "#\[url\]([\w]+?://[^ '`\"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url1'];
// www.phpbb.com code.. (no xxxx:// prefix).
$patterns[] = "#\[url\]((www|ftp)\.[^ '`\"\n\r\t<]*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url2'];
// phpBB code..
$patterns[] = "#\[url=([\w]+?://[^ '`\"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
$replacements[] = $bbcode_tpl['url3'];
// phpBB code.. (no xxxx:// prefix).
$patterns[] = "#\[url=((www|ftp)\.[^ '`\"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
|
The new regexps only exclude ' and `. This means that the malicious Code won't be parsed at all. This solution was developed by Daniel W. of the Delphi-PRAXiS and Christian S. of the Delphi-Forum
phpBB.com has not yet acknowledged the problem, but it has been reported to the security tracker.
Greetz
alcaeus |
Zuletzt bearbeitet von alcaeus am Do 07 Jul, 2005 15:17, insgesamt einmal bearbeitet |
|
 |
|
cback
phpBB2.de User
[KB] Manager
Anmeldungsdatum: 16.01.2004
Beiträge: 3321
Wohnort: Saarland
|
| Verfasst am:
Mi 06 Jul, 2005 20:14 |
|
With your code I can still execute malicious scripts with the other URL BBCode methods. I just have to use multiple nestings.
And I don't know if that is easyer both snippets have only one find and replace part |
_________________
[ Forensoftware | CBACK Software | SYNTACTION ]
Support only in Forum! - Support nur im Forum!
Zuletzt bearbeitet von cback am Mi 06 Jul, 2005 20:15, insgesamt einmal bearbeitet |
|
|
|
Datenbankpasswort
phpBB2.de User
Anmeldungsdatum: 28.06.2005
Beiträge: 372
|
| Verfasst am:
Mi 06 Jul, 2005 20:15 |
|
Heisst das jetzt, einfach das über mir ausführen, anstatt all das im ersten post? |
_________________
Es ist ärgerlich, wie oft man einige Arbeiten aufschieben muss, um sie endgültig zu vergessen. |
|
|
|
cback
phpBB2.de User
[KB] Manager
Anmeldungsdatum: 16.01.2004
Beiträge: 3321
Wohnort: Saarland
|
| Verfasst am:
Mi 06 Jul, 2005 20:16 |
|
Nein, nimm meins. Ganz oben.
Ach ja "all das" es ist in beiden fällen nur eine einzige Ersetzung von Code also der Arbeitsaufwand ist absolut identisch mit dem Unterschied das der Snippet von mir das Problem löst und unten noch weiter geschachtelt werden kann |
_________________
[ Forensoftware | CBACK Software | SYNTACTION ]
Support only in Forum! - Support nur im Forum! |
|
|
|
Datenbankpasswort
phpBB2.de User
Anmeldungsdatum: 28.06.2005
Beiträge: 372
|
| Verfasst am:
Mi 06 Jul, 2005 20:18 |
|
Okay, danke dir. |
_________________
Es ist ärgerlich, wie oft man einige Arbeiten aufschieben muss, um sie endgültig zu vergessen. |
|
|
|
cback
phpBB2.de User
[KB] Manager
Anmeldungsdatum: 16.01.2004
Beiträge: 3321
Wohnort: Saarland
|
| Verfasst am:
Mi 06 Jul, 2005 20:20 |
|
|
|
|
alcaeus
phpBB2.de User
Anmeldungsdatum: 09.04.2005
Beiträge: 51
Wohnort: Munich, Germany but Italian native
|
| Verfasst am:
Mi 06 Jul, 2005 20:25 |
|
| cback hat folgendes geschrieben: |
| With your code I can still execute malicious scripts with the other URL BBCode methods. I just have to use multiple nestings. |
Achtually, I'd love to see that code, maybe you could PN me one? Both BBCodes that were using that vulnerability are using a ' (style='), therefore I don't know what you're referring to. The nested url-Tags don't get parsed with my method, not even the first one.
Greetz
alcaeus |
|
|
|
|
alcaeus
phpBB2.de User
Anmeldungsdatum: 09.04.2005
Beiträge: 51
Wohnort: Munich, Germany but Italian native
|
| Verfasst am:
Do 07 Jul, 2005 13:50 |
|
After further investigating the issue, I think it's best to apply both fixes, therefore excluding nested tags and my method.
Also, maybe your fix doesn't work all that good, as this link doesn't get parsed, even though BBCode is enabled, and the links in my previous post don't show
As I said, cback, you should contact me via PN or ICQ to let me know about the malicious code that can still me inserted with my method.
Greetz
alcaeus |
_________________
Ein Portal für Informatik-Studenten: www.infler.de
Meine Homepage: www.alcaeus.org
Letzter Artikel: Working with phpBB again |
|
|
|
cback
phpBB2.de User
[KB] Manager
Anmeldungsdatum: 16.01.2004
Beiträge: 3321
Wohnort: Saarland
|
| Verfasst am:
Do 07 Jul, 2005 13:53 |
|
| Zitat: |
| As I said, cback, you should contact me via PN or ICQ to let me know about the malicious code that can still me inserted with my method. |
Sorry, I can only say that it works but I never give out malicious code. To no one. |
_________________
[ Forensoftware | CBACK Software | SYNTACTION ]
Support only in Forum! - Support nur im Forum! |
|
|
|
alcaeus
phpBB2.de User
Anmeldungsdatum: 09.04.2005
Beiträge: 51
Wohnort: Munich, Germany but Italian native
|
| Verfasst am:
Do 07 Jul, 2005 13:56 |
|
| cback hat folgendes geschrieben: |
| Sorry, I can only say that it works but I never give out malicious code. To no one. |
 We have my fix running on a couple of forums, so giving me the code would just be a matter of friendlyness, as the malicious code I used to grab autologin keys does not work with my fix anymore.
Given the information present, all malicious code I have found so far use the style=' issue exploitable only in IE, therefore always including one of the stop characters included in my fix. As I said, it's not for me to use that code, it's to protect the forums I'm managing. But I guess your lack of trust will make me find out the hard way
Greetz
alcaeus |
_________________
Ein Portal für Informatik-Studenten: www.infler.de
Meine Homepage: www.alcaeus.org
Letzter Artikel: Working with phpBB again |
|
|
|
cback
phpBB2.de User
[KB] Manager
Anmeldungsdatum: 16.01.2004
Beiträge: 3321
Wohnort: Saarland
|
| Verfasst am:
Do 07 Jul, 2005 13:59 |
|
I can only tell you that my method in the first post is the solution for that problem without affecting any phpBB Functions and with securing the URL BBcode from any nagging.
But you can use what you want. I don't force someone to use something good |
_________________
[ Forensoftware | CBACK Software | SYNTACTION ]
Support only in Forum! - Support nur im Forum! |
|
|
|
|
|
|
|
![[netclusive - internet broadcasting]](templates/fisubsilversh/images/phpbb2_logor_01.gif)
