[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    phpBB 2.0.17 (and other BB systems as well) Cookie disclosure
From:       alphakgen () gmail ! com
Date:       2005-10-22 13:22:17
Message-ID: 20051022132217.10390.qmail () securityfocus ! com
[Download RAW message or body]

phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit.

I sent the report to phpBB and they said that a patch will be available withing a few \
days and It will be integrated into 2.0.18 .

Note: This works like XSS, and requires the victim to use IE (Affects all versions of \
IE).

Special Credits to: Sven Vetsch (the original finder of "The gif bug").
The original gif-bug article : \
http://www.securiteam.com/windowsntfocus/6F00B00EBY.html Also thanks to the experts \
at securiteam.com for clarifying some issues.

Since what is described in the original article doesn't work, I have written this \
step-by-step article explaining how to replicate this bug successfuly.

Affected: All phpBB systems allowing "Upload Avatar from URL" and most likely all \
other systems with such a feature (Other bulletin boards - but I didn't check).

Well, the base for the problem lies within IE.. The core element of my Proof of \
Concept is the lately found Gif-bug in IE (Originally found by Sven Vetsch). 

For some reason IE renders malformed embedded content files (like gif,jpg,wav,and so \
on..) as HTML when they are accessed directly e.g. http://attacker.com/xss.gif (Not \
through the <img> tag).

If we create an HTML file and rename its extention to .GIF (or other embedded content \
file extention), and upload it to an HTTP server (it dosn't work locally for some \
reason), when we will navigate to http://myserver.com/xss.gif the HTML code will be \
executed instead of showing that the image is invalid. 

So, if we could upload such a file to a server that allows image upload we could \
actually upload HTML code instead (Inside the image file). If the victim will be \
lured to navigate to this  specially crafted image in IE, arbitary HTML code could be \
executed in the servers security zone, e.g. we could steall the users cookie, for \
example.

However it is not that simple with systems (like phpBB) that verify the image file \
before it is uploaded to the server. If we try to upload our previosly made \
http://attacker.com/xss.gif gif file the system will complain about incorrect image \
size - that's because our image is invalid. The verification system chechs the files \
header. In a valid 1x1 gif file the header should be (in hex) : 47 49 46 38 39 61 01 \
00 01 00 . After the header we will insert the next HTML code: \
<HTML><HEAD><SCRIPT>alert(document.cookie);</SCRIPT></HEAD></HTML> So the file will \
look like this (in hex): 47 49 46 38 39 61 01 00 01 00 3C 48 54 4D 4C 3E 3C 48 45 41 \
44 3E 3C 53 43 52 49 50 54 3E 61 6C 65 

72 74 28 64 6F 63 75 6D 65 6E 74 2E 63 6F 6F 6B 69 65 29 3B 3C 2F 53 43 52 49 50 54 \
3E 3C 2F 48 45 

41 44 3E 3C 2F 48 54 4D 4C 3E

If we upload this file instead the old one to : http://myserver.com/xss.gif we will \
be able to upload it as a phpBB avatar. However when we access the file directly (as \
before) no HTML code is going to be executed. That is because IE sees the valid \
header and tries to draw the image  instead of rendering the HTML (and fails anyway \
...).

However if we change the file extention from .GIF to .JPG the GIF header in the \
beginning will become meaningless to IE and the HTML code will be executed. So if we \
rename our image from  xss.gif to xss.jpg when we will navigate to \
http://myserver.com/xss.jpg we will see an alert box (that should show the cookie on \
its current server). 

The phpBB avatar upload system verifies the files header - and our header is pretty \
much valid - for a GIF file, but not JPG. If we try to upload the file \
http://myserver.com/xss.jpg as our avatar it will be successfuly uploaded. Hence any \
one who will navigate (in IE) directly to our avatar in 

its new address on the phpBB forum server (the URL should look like \
http://phpbbforum.com/phpbb/

images/avatars/2131121a2121f.jpg) will be able to see his cookie information in an \
alert window. Instead an image something like GIF89a_--. will apear, but it can be \
easily obfuscated with a simple JavaScript.

As a Proof of Concept here is a ready made JPG file: (Save target as) \
http://planet.nana.co.il/

mycoolpictures123/fake/lt2.jpg . Upload this (from its current location, or your HTTP \
server) as an avatar to phpBB (or as I believe - any Bulletin Board system). In your \
avatar an invalid image (red X) will appear, but when you navigate to it's current \
location (e.g. http://phpbbforum.com/

phpbb/images/avatars/2131121a2121f.jpg) you will see an alert with your cookie.

Using the basic idea of my PoC, the code can be manipulated to send a users cookie \
information to  a CGI sniffer on a remote server. All that should be done is sending \
a message saying "Check out this image" and specifying the avatars URL.

This is a major problem since 90% of the internet users use IE and lots of dynamic \
sites (like  bulletin boards) allow image upload to the server. 

The solution could come in many ways. The best solution for the user is to use \
another browser (like FireFox) untill a vendor patch from Micrsoft is available. For \
bulletin board administrators it is highly advised to turn off the "Upload avatar \
from URL" option untill a patch from the vendor (phpBB, vBulletin, IPB, and so on...) \
arrives.

Have a good day.
K-Gen


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic