BugTraq
phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 19 2004 12:01AM
Ready Response (wang mod-x co uk) (2 replies)
Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 20 2004 12:15PM
3APA3A (3APA3A SECURITY NNOV RU) (1 replies)
Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 21 2004 01:10AM
Xin LI (delphij frontfree net) (1 replies)
On Tue, Apr 20, 2004 at 04:15:48PM +0400, 3APA3A wrote:
> --Monday, April 19, 2004, 4:01:29 AM, you wrote to bugtraq (at) securityfocus (dot) com [email concealed]:
>
> RR> the users IP address in the common.php script. This issue is caused
> RR> by blind trust of the X-Forwarded-For HTTP header. A remote attacker
>
> This issue is very common for different BBs (for example Iconboard has
> same problem), in addition to IP spoofing it's usually possible to cause
> crossite scripting by inserting script into forgery X-Forwarded-For
> header.
>
> --

The situation turns out to be more serious because phpBB (up to and
including 2.0.8a) is affected by another potential resource exhaustion
attack, by exploiting the limitation on the sessions table.

I have a preliminary patch as followed. It was sent to security (at) phpbb (dot) com [email concealed]
a month ago and I received no response from them (also, the description
of the vulnerablity, of course):

Index: includes/sessions.php
===================================================================
RCS file: /cvsroot/phpbb/phpBB2/includes/Attic/sessions.php,v
retrieving revision 1.58.2.10
diff -u -r1.58.2.10 sessions.php
--- includes/sessions.php 5 Apr 2003 12:04:33 -0000 1.58.2.10
+++ includes/sessions.php 17 Apr 2004 07:48:20 -0000
@@ -147,7 +147,7 @@
$sql = "INSERT INTO " . SESSIONS_TABLE . "
(session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in)
VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login)";
- if ( !$db->sql_query($sql) )
+ if ( $user_id != ANONYMOUS && !$db->sql_query($sql) )
{
message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql);
}
@@ -380,4 +380,4 @@
return $url;
}

-?>
\ No newline at end of file
+?>

The concept here is simple. We do not really need to store sessions for
anonymous users.

Remote attackers can attack a forum without Wang's patch by exploiting
this vulnerablity and result in a Denial of Service attack by fooling
the forum to store many anonymous 'visitors' in sessions table.

This vulnerablity does not affect the development version of phpBB.

--
Xin LI <delphij frontfree net> http://www.delphij.net/
See complete headers for GPG key and other information.

[ reply ]
Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 28 2004 09:03AM
BlueRaven (blue ravenconsulting it) (1 replies)
Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 29 2004 02:16AM
Xin LI (delphij frontfree net)
Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Apr 19 2004 08:05PM
Shaun Colley (shaunige yahoo co uk)


 

Privacy Statement
Copyright 2010, SecurityFocus