Debian Bug report logs - #317739
XSS in phpbb2 (MS IE only) [CAN-2005-2161]

version graph

Package: phpbb2; Maintainer for phpbb2 is (unknown);

Reported by: Alexander Gerasiov <gq@cs.msu.su>

Date: Mon, 11 Jul 2005 07:48:02 UTC

Severity: serious

Tags: confirmed, fixed-upstream, patch, security

Found in version 2.0.13-6

Fixed in versions phpbb2/2.0.13+1-6sarge1, 2.0.17-1

Done: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#317739; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Alexander Gerasiov <gq@cs.msu.su>:
New Bug report received and forwarded. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Alexander Gerasiov <gq@cs.msu.su>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: XSS in phpbb2 (MS IE only?)
Date: Mon, 11 Jul 2005 11:35:28 +0400
Package: phpbb2
Version: 2.0.13-6
Severity: serious

XSS was reported it bugtraq 05 july.

Just tested it on my phpbb2 installation and found the following code
shows cookies on MS IE.

[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`alert(document.cookie);this.sss=null`style='font-size:0;][/url][/url]'[/color]


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (620, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-686
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

Versions of packages phpbb2 depends on:
ii  apache [httpd]               1.3.33-6    versatile, high-performance HTTP s
ii  debconf                      1.4.30.13   Debian configuration management sy
ii  libapache-mod-php4           4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4                         4:4.3.10-15 server-side, HTML-embedded scripti
ii  php4-mysql                   4:4.3.10-15 MySQL module for php4

-- debconf information:
* phpbb2/httpd: apache



Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#317739; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #10 received at 317739@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <kink@squirrelmail.org>
To: "Alexander Gerasiov" <gq@cs.msu.su>, 317739@bugs.debian.org
Subject: Re: Bug#317739: XSS in phpbb2 (MS IE only?)
Date: Mon, 11 Jul 2005 12:25:02 +0200 (CEST)
tags 317739 security confirmed
thanks

Hello,

On Mon, July 11, 2005 09:35, Alexander Gerasiov wrote:
> XSS was reported it bugtraq 05 july.

Thanks for your report. If you find something like this, please report
references that makes it easier to locate the report you're referring to.

I found this message:
http://www.securityfocus.com/archive/1/404300/30/90/threaded

> Just tested it on my phpbb2 installation and found the following code
> shows cookies on MS IE.

I've tried your example and can confirm that it indeed works, only in IE.
Thanks for the notification, we'll work out a solution.


regards,
Thijs Kinkhorst




Tags added: security, confirmed Request was from "Thijs Kinkhorst" <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#317739; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #17 received at 317739@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 317739@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Patch for #317739
Date: Tue, 12 Jul 2005 09:51:12 +0200
[Message part 1 (text/plain, inline)]
tags 317739 +patch
thanks

Hey people,

I've prepared the attached patch with addresses this issue.
Jeroen, can you review? And shall we release an advisory about this or
wait for information from the phpbb-team?


Thijs
[bbcode.php.patch (text/plain, inline)]
--- bbcode.php	2005-05-12 22:55:50.000000000 +0200
+++ bbcode.php.new	2005-07-12 09:45:37.122877488 +0200
@@ -198,23 +198,23 @@

 	// [img]image_url_here[/img] code..
 	// This one gets first-passed..
-	$patterns[] = "#\[img:$uid\]($allowed_urlschemas://[^ \"\n\r\t<]*?)\[/img:$uid\]#si";
+	$patterns[] = "#\[img:$uid\]($allowed_urlschemas://[^ `\"\n\r\t<]*?)\[/img:$uid\]#si";
 	$replacements[] = $bbcode_tpl['img'];

 	// matches a [url]xxxx://www.phpbb.com[/url] code..
-	$patterns[] = "#\[url\]($allowed_urlschemas://[^ \"\n\r\t<]*?)\[/url\]#is";
+	$patterns[] = "#\[url\]($allowed_urlschemas://[^ `\"\n\r\t<]*?)\[/url\]#is";
 	$replacements[] = $bbcode_tpl['url1'];

 	// [url]www.phpbb.com[/url] code.. (no xxxx:// prefix).
-	$patterns[] = "#\[url\]((www|ftp)\.[^ \"\n\r\t<]*?)\[/url\]#is";
+	$patterns[] = "#\[url\]((www|ftp)\.[^ `\"\n\r\t<]*?)\[/url\]#is";
 	$replacements[] = $bbcode_tpl['url2'];

 	// [url=xxxx://www.phpbb.com]phpBB[/url] code..
-	$patterns[] = "#\[url=($allowed_urlschemas://[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is";
+	$patterns[] = "#\[url=($allowed_urlschemas://[^ `\"\n\r\t<]*?)\](.*?)\[/url\]#is";
 	$replacements[] = $bbcode_tpl['url3'];

 	// [url=www.phpbb.com]phpBB[/url] code.. (no xxxx:// prefix).
-	$patterns[] = "#\[url=((www|ftp)\.[^ \"\n\r\t<]*?)\](.*?)\[/url\]#is";
+	$patterns[] = "#\[url=((www|ftp)\.[^ `\"\n\r\t<]*?)\](.*?)\[/url\]#is";
 	$replacements[] = $bbcode_tpl['url4'];

 	// [email]user@domain.tld[/email] code..
[signature.asc (application/pgp-signature, attachment)]

Tags added: patch Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#317739; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #24 received at 317739@bugs.debian.org (full text, mbox):

From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
To: Thijs Kinkhorst <kink@squirrelmail.org>, 317739@bugs.debian.org
Subject: Re: Bug#317739: Patch for #317739
Date: Tue, 12 Jul 2005 12:28:03 +0200
On Tue, Jul 12, 2005 at 09:51:12AM +0200, Thijs Kinkhorst wrote:
> tags 317739 +patch
> thanks
> 
> Hey people,
> 
> I've prepared the attached patch with addresses this issue.
> Jeroen, can you review? And shall we release an advisory about this or
> wait for information from the phpbb-team?

It should really be tested on plain upstream 2.0.16 before reporting.
Can you try that? I'll then report it upstream and hopefully get a
response quickly.

--Jeroen

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl



Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#317739; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #29 received at 317739@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <kink@squirrelmail.org>
To: "Jeroen van Wolffelaar" <jeroen@wolffelaar.nl>
Cc: 317739@bugs.debian.org
Subject: Re: Bug#317739: Patch for #317739
Date: Tue, 12 Jul 2005 13:02:04 +0200 (CEST)
On Tue, July 12, 2005 12:28, Jeroen van Wolffelaar wrote:
> It should really be tested on plain upstream 2.0.16 before reporting.
> Can you try that? I'll then report it upstream and hopefully get a
> response quickly.

I can confirm that it is reproducible on 2.0.16.


Thijs




Changed Bug title. Request was from Jeroen van Wolffelaar <jeroen@wolffelaar.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#317739; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #36 received at 317739@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <kink@squirrelmail.org>
To: 317739@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#317739: XSS in phpbb2 (MS IE only?)
Date: Thu, 14 Jul 2005 09:16:38 +0200 (CEST)
retitle 317739 XSS in phpbb2 (MS IE only) [CAN-2005-2161]
thanks


This is CAN-2005-2161.


Thijs




Changed Bug title. Request was from "Thijs Kinkhorst" <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jeroen van Wolffelaar <jeroen@wolffelaar.nl>:
Bug#317739; Package phpbb2. Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <kink@squirrelmail.org>:
Extra info received and forwarded to list. Copy sent to Jeroen van Wolffelaar <jeroen@wolffelaar.nl>. Full text and rfc822 format available.

Message #43 received at 317739@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 317739@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#317739: XSS in phpbb2 (MS IE only?)
Date: Thu, 21 Jul 2005 22:32:39 +0200
[Message part 1 (text/plain, inline)]
tags 317739 fixed-upstream
thanks

On Thu, 2005-07-14 at 09:16 +0200, Thijs Kinkhorst wrote:
> This is CAN-2005-2161.

Upstream has released 2.0.17 with a patch for this vulnerability. I'll
prepare updated packages for our current Debian versions, and after that
we'll probably also upload 2.0.17 into unstable.


Thijs
[signature.asc (application/pgp-signature, inline)]

Tags added: fixed-upstream Request was from Thijs Kinkhorst <kink@squirrelmail.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from "www.wolffelaar.nl" <www-data@wolffelaar.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to Alexander Gerasiov <gq@cs.msu.su>:
Bug#317739. Full text and rfc822 format available.

Message #50 received at 317739-submitter@bugs.debian.org (full text, mbox):

From: "www.wolffelaar.nl" <www-data@wolffelaar.nl>
To: control@bugs.debian.org, 317739-submitter@bugs.debian.org, 310827-submitter@bugs.debian.org
Subject: phpBB bugs fixed in revision r212
Date: Tue, 26 Jul 2005 16:44:01 +0200
# Fixed in r212 by kink
tag 317739 + pending
tag 310827 + pending
thanks

These bugs are fixed in revision 212 by kink
Log message:
Update changelog with these items:
* Security: Update existing bbcode xss patch to incorporate latest
  XSS vulnerability [CAN-2005-2161]. (Closes: #317739)
* Add missing CVE-id to -6 changelog. (Closes: #310827)






Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alexander Gerasiov <gq@cs.msu.su>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #55 received at 317739-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 317739-close@bugs.debian.org
Subject: Bug#317739: fixed in phpbb2 2.0.13+1-6sarge1
Date: Thu, 28 Jul 2005 22:02:08 -0700
Source: phpbb2
Source-Version: 2.0.13+1-6sarge1

We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:

phpbb2-conf-mysql_2.0.13-6sarge1_all.deb
  to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.13-6sarge1_all.deb
phpbb2-languages_2.0.13-6sarge1_all.deb
  to pool/main/p/phpbb2/phpbb2-languages_2.0.13-6sarge1_all.deb
phpbb2_2.0.13+1-6sarge1.diff.gz
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge1.diff.gz
phpbb2_2.0.13+1-6sarge1.dsc
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge1.dsc
phpbb2_2.0.13-6sarge1_all.deb
  to pool/main/p/phpbb2/phpbb2_2.0.13-6sarge1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 317739@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated phpbb2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 26 Jul 2005 18:22:00 +0200
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.13+1-6sarge1
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description: 
 phpbb2     - A fully featured and skinneable flat (non-threaded) webforum
 phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
 phpbb2-languages - phpBB2 additional languages
Closes: 317739
Changes: 
 phpbb2 (2.0.13+1-6sarge1) stable-security; urgency=high
 .
   * Security update by phpBB maintainers
   * Update existing BBCode XSS patch to incorporate fix for a newly discovered
     XSS vulnerability [CAN-2005-2161]. (Closes: #317739)
Files: 
 a2192409bb6c743be83d87529e00ebcc 783 web optional phpbb2_2.0.13+1-6sarge1.dsc
 e5a598478e4f01a3e8981b72c1356445 61579 web optional phpbb2_2.0.13+1-6sarge1.diff.gz
 678d0cb0372e46402a472c510fb90d78 3340445 web optional phpbb2_2.0.13+1.orig.tar.gz
 2e0d83079efc4321532e062a4c746598 525020 web optional phpbb2_2.0.13-6sarge1_all.deb
 9d27f1ba0c529544447be2537a2e427c 36996 web extra phpbb2-conf-mysql_2.0.13-6sarge1_all.deb
 8de633213b53ff0c2029b0b3e28aa847 2868362 web optional phpbb2-languages_2.0.13-6sarge1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC541oW5ql+IAeqTIRAqqlAKCzpMQtU5OwyX9WLNZx+/xy5/kwvgCeK30A
nrCxM+U7XhPdysPwSuF1n3E=
=hpIn
-----END PGP SIGNATURE-----




Reply sent to Thijs Kinkhorst <kink@squirrelmail.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alexander Gerasiov <gq@cs.msu.su>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #60 received at 317739-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <kink@squirrelmail.org>
To: 317739-close@bugs.debian.org
Subject: Bug#317739: fixed in phpbb2 2.0.13+1-6sarge1
Date: Fri, 16 Dec 2005 21:37:12 -0800
Source: phpbb2
Source-Version: 2.0.13+1-6sarge1

We believe that the bug you reported is fixed in the latest version of
phpbb2, which is due to be installed in the Debian FTP archive:

phpbb2-conf-mysql_2.0.13-6sarge1_all.deb
  to pool/main/p/phpbb2/phpbb2-conf-mysql_2.0.13-6sarge1_all.deb
phpbb2-languages_2.0.13-6sarge1_all.deb
  to pool/main/p/phpbb2/phpbb2-languages_2.0.13-6sarge1_all.deb
phpbb2_2.0.13+1-6sarge1.diff.gz
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge1.diff.gz
phpbb2_2.0.13+1-6sarge1.dsc
  to pool/main/p/phpbb2/phpbb2_2.0.13+1-6sarge1.dsc
phpbb2_2.0.13-6sarge1_all.deb
  to pool/main/p/phpbb2/phpbb2_2.0.13-6sarge1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 317739@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <kink@squirrelmail.org> (supplier of updated phpbb2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 26 Jul 2005 18:22:00 +0200
Source: phpbb2
Binary: phpbb2-languages phpbb2-conf-mysql phpbb2
Architecture: source all
Version: 2.0.13+1-6sarge1
Distribution: stable-security
Urgency: high
Maintainer: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Changed-By: Thijs Kinkhorst <kink@squirrelmail.org>
Description: 
 phpbb2     - A fully featured and skinneable flat (non-threaded) webforum
 phpbb2-conf-mysql - Automatic configurator for phpbb2 on MySQL database
 phpbb2-languages - phpBB2 additional languages
Closes: 317739
Changes: 
 phpbb2 (2.0.13+1-6sarge1) stable-security; urgency=high
 .
   * Security update by phpBB maintainers
   * Update existing BBCode XSS patch to incorporate fix for a newly discovered
     XSS vulnerability [CAN-2005-2161]. (Closes: #317739)
Files: 
 a2192409bb6c743be83d87529e00ebcc 783 web optional phpbb2_2.0.13+1-6sarge1.dsc
 e5a598478e4f01a3e8981b72c1356445 61579 web optional phpbb2_2.0.13+1-6sarge1.diff.gz
 678d0cb0372e46402a472c510fb90d78 3340445 web optional phpbb2_2.0.13+1.orig.tar.gz
 2e0d83079efc4321532e062a4c746598 525020 web optional phpbb2_2.0.13-6sarge1_all.deb
 9d27f1ba0c529544447be2537a2e427c 36996 web extra phpbb2-conf-mysql_2.0.13-6sarge1_all.deb
 8de633213b53ff0c2029b0b3e28aa847 2868362 web optional phpbb2-languages_2.0.13-6sarge1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC541oW5ql+IAeqTIRAqqlAKCzpMQtU5OwyX9WLNZx+/xy5/kwvgCeK30A
nrCxM+U7XhPdysPwSuF1n3E=
=hpIn
-----END PGP SIGNATURE-----




Reply sent to "Steinar H. Gunderson" <sgunderson@bigfoot.com>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Alexander Gerasiov <gq@cs.msu.su>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #65 received at 317739-done@bugs.debian.org (full text, mbox):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>
To: 317739-done@bugs.debian.org
Subject: Fixed in upstream 2.0.17
Date: Mon, 19 Jun 2006 01:35:19 +0200
Version: 2.0.17-1

As #317739 (CAN-2005-2161) was fixed by upstream in 2.0.17, I'm closing it to
tell the BTS that it is not a problem in etch nor sid.

/* Steinar */
-- 
Homepage: http://www.sesse.net/



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 07:17:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 01:39:36 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.