phpBB2.de Forum Index  
[netclusive - internet broadcasting]
 FAQ  •  Search  •  Download  •  Bookmarks  •  Memberlist  •  Usergroups   •  Register  •  Profile  •  Log in to check your private messages  •  Log in
 
        
 
        
 

LinkLift

View next topic
View previous topic

This forum is locked: you cannot post, reply to, or edit topics.This topic is locked: you cannot edit posts or make replies.
Author Message
cback
phpBB2.de User
phpBB2.de User
[KB] Manager


Joined: 16 Jan 2004
Posts: 3321
Location: Saarland

PostPosted: Wed 06 Jul, 2005 15:26 Reply with quoteBack to top 

Temporary fix for security issue in URL BBcode (phpBB 2.0.16)


Actually a new bug into the URL BBcode system of phpBB 2.0.16 was found. The phpBB Group has no fix released at the moment so I give you here a temporary fix for this issue till the official update for phpBB is available.

Please safe your original bbcode.php before doing this change, that you can easily make the offical changes from the phpBB Group if they provide the offical fix for this issue. (Because this is not the offical patch, but a solution for that problem!)



Here the Temporary Code Changes for phpBB 2.0.16 and Plus 1.5.x:


PHP:
<?php #
#-----[ OPEN ]------------------------------------------
#
includes/bbcode.php


#
#-----[ FIND ]------------------------------------------
#
    // matches a xxxx://www.phpbb.com code..
    
$patterns[] = "#\[url\]([\w]+?://[^ \"\n\r\t<]*?)\[/url\]#is";
    
$replacements[] = $bbcode_tpl['url1'];

    
// www.phpbb.com code.. (no xxxx:// prefix).
    
$patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is";
    
$replacements[] = $bbcode_tpl['url2'];

    
// phpBB code..
    
$patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
    
$replacements[] = $bbcode_tpl['url3'];

    
// code.. (no xxxx:// prefix).
    
$patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
    
$replacements[] = $bbcode_tpl['url4'];
    

#
#-----[ REPLACE WITH ]------------------------------------------
#
    // matches a xxxx://www.phpbb.com code..
    
$patterns[] = "#\[url\]([\w]+?://[^ '`\"\n\r\t<]*?)\[/url\]#is";
    
$replacements[] = $bbcode_tpl['url1'];

    
// www.phpbb.com code.. (no xxxx:// prefix).
$patterns[] = "#\[url\]((www|ftp)\.(?![^ '`\"\n\r\t<]*?\[url)[^ \"\n\r\t<]*?)\[/url\]#is";
    
$replacements[] = $bbcode_tpl['url2'];

    
// phpBB code..
    
$patterns[] = "#\[url=([\w]+?://[^ '`\"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
    
$replacements[] = $bbcode_tpl['url3'];

    
// code.. (no xxxx:// prefix).
    
$patterns[] = "#\[url=((www|ftp)\.[^ '`\"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
    
$replacements[] = $bbcode_tpl['url4'];
        
        

#
#-----[ SAVE/CLOSE ALL FILES ]------------------------------------------
#
# EoM 



Enjoy. Wink

Update (08.07.2005):

With a combination of a Fix Method from the Users Alcaeus, Christian S. and my Code we have here now a new Solution for this issue which works better.


Important (20.07.2005):

phpBB 2.0.17 is now released and includes now an official FIX! So please don't use our version anymore and Update as fast as possible to the newest phpBB 2.0.17 Version: Click here

_________________
[ Forensoftware | CBACK Software | SYNTACTION ]

Support only in Forum! - Support nur im Forum!


Last edited by cback on Wed 20 Jul, 2005 21:30; edited 8 times in total
OfflineView user's profileSend private messageSend e-mailVisit poster's website
Google







Posted: Back to top

TomLeo
phpBB2.de User
phpBB2.de User



Joined: 01 Jun 2005
Posts: 45

PostPosted: Wed 06 Jul, 2005 15:35 Reply with quoteBack to top 

Aha, Danke!!

Wenn Du das sagst!! Ich vertraue Dir da blind ... Thanks
OfflineView user's profileSend private messageICQ Number
cback
phpBB2.de User
phpBB2.de User
[KB] Manager


Joined: 16 Jan 2004
Posts: 3321
Location: Saarland

PostPosted: Wed 06 Jul, 2005 15:36 Reply with quoteBack to top 

Vertrauen ist gut, Kontrolle ist besser! Wink

Aber in diesem Fall hab ich die Methoden des Einschleusens in Plus und phpBB 2.0.16 damit erfolgreich verhindern können also ein wesentlicher Unterschied erwarte ich auch nicht beim offiziellen Fix Wink

Mal sehen was die basteln Smile Aber jedenfalls sind die Boards bis dahin schon mal sicher.

_________________
[ Forensoftware | CBACK Software | SYNTACTION ]

Support only in Forum! - Support nur im Forum!
OfflineView user's profileSend private messageSend e-mailVisit poster's website
alsakrah
phpBB2.de User
phpBB2.de User



Joined: 02 Dec 2003
Posts: 125
Location: JUBAIL

PostPosted: Wed 06 Jul, 2005 17:08 Reply with quoteBack to top 

Thank you

updating now

_________________
phpBB2 Plus Arabic Language Support Forum
OfflineView user's profileSend private messageVisit poster's websiteYahoo MessengerMSN Messenger
alcaeus
phpBB2.de User
phpBB2.de User



Joined: 09 Apr 2005
Posts: 51
Location: Munich, Germany but Italian native

PostPosted: Wed 06 Jul, 2005 19:01 Reply with quoteBack to top 

Actually, it can be done a lot easier:

This is the original code:
PHP:
<?php $patterns[] = "#\[url\]([\w]+?://[^ \"\n\r\t<]*?)\[/url\]#is";
    
$replacements[] = $bbcode_tpl['url1'];

    
// www.phpbb.com code.. (no xxxx:// prefix).
    
$patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is";
    
$replacements[] = $bbcode_tpl['url2'];

    
// phpBB code..
    
$patterns[] = "#\[url=([\w]+?://[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
    
$replacements[] = $bbcode_tpl['url3'];

    
// phpBB code.. (no xxxx:// prefix).
    
$patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is"


And this the new one:
PHP:
<?php $patterns[] = "#\[url\]([\w]+?://[^ '`\"\n\r\t<]*?)\[/url\]#is";
    
$replacements[] = $bbcode_tpl['url1'];

    
// www.phpbb.com code.. (no xxxx:// prefix).
    
$patterns[] = "#\[url\]((www|ftp)\.[^ '`\"\n\r\t<]*?)\[/url\]#is";
    
$replacements[] = $bbcode_tpl['url2'];

    
// phpBB code..
    
$patterns[] = "#\[url=([\w]+?://[^ '`\"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is";
    
$replacements[] = $bbcode_tpl['url3'];

    
// phpBB code.. (no xxxx:// prefix).
    
$patterns[] = "#\[url=((www|ftp)\.[^ '`\"\n\r\t<]*?)\]([^?\n\r\t].*?)\[/url\]#is"

The new regexps only exclude ' and `. This means that the malicious Code won't be parsed at all. This solution was developed by Daniel W. of the Delphi-PRAXiS and Christian S. of the Delphi-Forum

phpBB.com has not yet acknowledged the problem, but it has been reported to the security tracker.

Greetz
alcaeus


Last edited by alcaeus on Thu 07 Jul, 2005 14:17; edited 1 time in total
HiddenView user's profileSend private messageVisit poster's websiteICQ Number
cback
phpBB2.de User
phpBB2.de User
[KB] Manager


Joined: 16 Jan 2004
Posts: 3321
Location: Saarland

PostPosted: Wed 06 Jul, 2005 19:14 Reply with quoteBack to top 

With your code I can still execute malicious scripts with the other URL BBCode methods. I just have to use multiple nestings.

And I don't know if that is easyer both snippets have only one find and replace part Wink

_________________
[ Forensoftware | CBACK Software | SYNTACTION ]

Support only in Forum! - Support nur im Forum!


Last edited by cback on Wed 06 Jul, 2005 19:15; edited 1 time in total
OfflineView user's profileSend private messageSend e-mailVisit poster's website
Datenbankpasswort
phpBB2.de User
phpBB2.de User



Joined: 28 Jun 2005
Posts: 372

PostPosted: Wed 06 Jul, 2005 19:15 Reply with quoteBack to top 

Heisst das jetzt, einfach das über mir ausführen, anstatt all das im ersten post?

_________________
Es ist ärgerlich, wie oft man einige Arbeiten aufschieben muss, um sie endgültig zu vergessen.
OfflineView user's profileSend private message
cback
phpBB2.de User
phpBB2.de User
[KB] Manager


Joined: 16 Jan 2004
Posts: 3321
Location: Saarland

PostPosted: Wed 06 Jul, 2005 19:16 Reply with quoteBack to top 

Nein, nimm meins. Ganz oben. Wink

Ach ja "all das" es ist in beiden fällen nur eine einzige Ersetzung von Code also der Arbeitsaufwand ist absolut identisch mit dem Unterschied das der Snippet von mir das Problem löst und unten noch weiter geschachtelt werden kann Wink

_________________
[ Forensoftware | CBACK Software | SYNTACTION ]

Support only in Forum! - Support nur im Forum!
OfflineView user's profileSend private messageSend e-mailVisit poster's website
Datenbankpasswort
phpBB2.de User
phpBB2.de User



Joined: 28 Jun 2005
Posts: 372

PostPosted: Wed 06 Jul, 2005 19:18 Reply with quoteBack to top 

Okay, danke dir.

_________________
Es ist ärgerlich, wie oft man einige Arbeiten aufschieben muss, um sie endgültig zu vergessen.
OfflineView user's profileSend private message
cback
phpBB2.de User
phpBB2.de User
[KB] Manager


Joined: 16 Jan 2004
Posts: 3321
Location: Saarland

PostPosted: Wed 06 Jul, 2005 19:20 Reply with quoteBack to top 

Kein Problem Smile

_________________
[ Forensoftware | CBACK Software | SYNTACTION ]

Support only in Forum! - Support nur im Forum!
OfflineView user's profileSend private messageSend e-mailVisit poster's website
alcaeus
phpBB2.de User
phpBB2.de User



Joined: 09 Apr 2005
Posts: 51
Location: Munich, Germany but Italian native

PostPosted: Wed 06 Jul, 2005 19:25 Reply with quoteBack to top 

cback wrote:
With your code I can still execute malicious scripts with the other URL BBCode methods. I just have to use multiple nestings.

Achtually, I'd love to see that code, maybe you could PN me one? Both BBCodes that were using that vulnerability are using a ' (style='), therefore I don't know what you're referring to. The nested url-Tags don't get parsed with my method, not even the first one.

Greetz
alcaeus
HiddenView user's profileSend private messageVisit poster's websiteICQ Number
alcaeus
phpBB2.de User
phpBB2.de User



Joined: 09 Apr 2005
Posts: 51
Location: Munich, Germany but Italian native

PostPosted: Thu 07 Jul, 2005 12:50 Reply with quoteBack to top 

After further investigating the issue, I think it's best to apply both fixes, therefore excluding nested tags and my method.
Also, maybe your fix doesn't work all that good, as this link doesn't get parsed, even though BBCode is enabled, and the links in my previous post don't show Wink
As I said, cback, you should contact me via PN or ICQ to let me know about the malicious code that can still me inserted with my method.

Greetz
alcaeus

_________________
Ein Portal für Informatik-Studenten: www.infler.de
Meine Homepage: www.alcaeus.org
Letzter Artikel: Working with phpBB again
HiddenView user's profileSend private messageVisit poster's websiteICQ Number
cback
phpBB2.de User
phpBB2.de User
[KB] Manager


Joined: 16 Jan 2004
Posts: 3321
Location: Saarland

PostPosted: Thu 07 Jul, 2005 12:53 Reply with quoteBack to top 

Quote:
As I said, cback, you should contact me via PN or ICQ to let me know about the malicious code that can still me inserted with my method.


Sorry, I can only say that it works but I never give out malicious code. Wink To no one.

_________________
[ Forensoftware | CBACK Software | SYNTACTION ]

Support only in Forum! - Support nur im Forum!
OfflineView user's profileSend private messageSend e-mailVisit poster's website
alcaeus
phpBB2.de User
phpBB2.de User



Joined: 09 Apr 2005
Posts: 51
Location: Munich, Germany but Italian native

PostPosted: Thu 07 Jul, 2005 12:56 Reply with quoteBack to top 

cback wrote:
Sorry, I can only say that it works but I never give out malicious code. Wink To no one.

Rolling Eyes We have my fix running on a couple of forums, so giving me the code would just be a matter of friendlyness, as the malicious code I used to grab autologin keys does not work with my fix anymore.
Given the information present, all malicious code I have found so far use the style=' issue exploitable only in IE, therefore always including one of the stop characters included in my fix. As I said, it's not for me to use that code, it's to protect the forums I'm managing. But I guess your lack of trust will make me find out the hard way Rolling Eyes

Greetz
alcaeus

_________________
Ein Portal für Informatik-Studenten: www.infler.de
Meine Homepage: www.alcaeus.org
Letzter Artikel: Working with phpBB again
HiddenView user's profileSend private messageVisit poster's websiteICQ Number
cback
phpBB2.de User
phpBB2.de User
[KB] Manager


Joined: 16 Jan 2004
Posts: 3321
Location: Saarland

PostPosted: Thu 07 Jul, 2005 12:59 Reply with quoteBack to top 

I can only tell you that my method in the first post is the solution for that problem without affecting any phpBB Functions and with securing the URL BBcode from any nagging. Wink

But you can use what you want. I don't force someone to use something good Wink

_________________
[ Forensoftware | CBACK Software | SYNTACTION ]

Support only in Forum! - Support nur im Forum!
OfflineView user's profileSend private messageSend e-mailVisit poster's website
Display posts from previous:      
This forum is locked: you cannot post, reply to, or edit topics.This topic is locked: you cannot edit posts or make replies.

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum

Similar Topics
Topic Author Forum Replies Posted
Probleme mit bbcode Parser - Merkwürd... pordox phpBB2.x - Support 2 Fri 27 Mar, 2009 19:09 View latest post
wbb auf phpbb2.023 auf phpBB-3.0.4 mö... Torsten68 phpBB2.x - Diskussion 1 Wed 25 Mar, 2009 20:51 View latest post
Upgrading from phpBB 2.0.22 to 2.0.23 ndiniz Installation / Upgrading 1 Thu 12 Feb, 2009 22:08 View latest post
Problem mit phpBB 2.0.23 und Advance... cododerdritte phpBB2.x - Support 0 Sat 31 Jan, 2009 00:36 View latest post
wo finde ich phpbb christian91 phpBB2.x - Support 3 Mon 05 Jan, 2009 21:14 View latest post