ppp-design found the following cross-site-scripting-bug in phpGB:


Details

Product: phpGB
Affected Version: 1.10 and maybe all versions before
Immune Version: 1.20
OS affected: all OS with php
Vendor-URL: http://www.walzl.net
Vendor-Status: informed, new version avaiable
Security-Risk: high
Remote-Exploit: Yes


Introduction

phpGB is a php/mysql based guestbook. Unfortunately no input is been filtered for malicious code segments. That leads to the possibility of a cross-site-scripting attack.


More details

A possible blackhat is able to insert eg. javascript code into the guestbook entry. When an admin tries to delete this entry the script will be executed. So the attacke is able to eg. get the session id and enter the admin area without being authenticated.


Proof-of-concept

Enter the following guestbookentry:

"delete me <script>alert(document.cookie)</script>"

When an admin tries to delete this entry, a popup showing his session id will come up. Of course it is quite easy to submit this session id to blackhat's server instead of showing this popup.


Temporary-fix

Filter all inputs for unwanted code segments like html or javascript code.


Fix

phpGB 1.2 filters all inputs.


Security-Risk

Because after a successfull attack an attacker is able to do anything an admin can do, the whole guestbook shall be deemed to be compromised. That is why we are rating the risk to high.


Vendor status

The author had fixed this bug allready, when we informed him.


Disclaimer

All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned.