Topic: BBCode [IMG] [/IMG ] Tag Vulnerability

See this message: http://lists.grok.org.uk/pipermail/full … 36348.html
Question: Is there any vulnerability in PunBB's BBcode ?

[no signature]

2

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

Like me : don't activate IMG sig smile I think PunBB has not this problem (phpBB is a worm hole smile)

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

Rod: its nothing to do with signatures its just [img] tags, surely browsers won't execute image files as html hmm

4

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

Connorhd wrote:

Rod: its nothing to do with signatures its just [url]tags, surely browsers won't execute image files as html hmm

smile

anyway, people use yet phpBB, its their problem (about security) smile

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

I just tested this with my local PunBB installation, and it's certainly possible to e.g. log a user out by just naming a folder something like "test.jpg", then add a index file that logs you out.

It probably can't do much harm though, but here's a little fix that takes care of the problem permanently. I don't know if it'll work on every server, but it works on mine very well smile

Here's how to do it.

Open includes/parser.php

Find, around line 293:

//
// Turns an URL from the [img] tag into an <img> tag or a <a href...> tag
//
function handle_img_tag($url, $is_signature = false)
{
    global $lang_common, $pun_config, $pun_user;

After, add:

     if(@getimagesize($url) == FALSE)
           $url = 'img/warning.png';

Just upload a warning image named "warning.png" to your img folder.

This tweak just checks if PHP can read the images filesize. If it can't, well, then it's not an image and should not be allowed.

6

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

I think this is potentially more serious than it looks.
Any url called will be identified by the cookie of the current user.
What if the current user has admin status? And the url does someting there?
Well, it's still a theory but there will always be an asshole finding a leak there.
So I guess CodeXPs workaround is something everybody should use.
It will not work on systems where file handling of urls is disabled but then - no pictures is still better than no database smile

Btw I tried to hack myself with that method and it didn't work sad

The German PunBB Site:
PunBB-forum.de

7

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

Tobi wrote:

I think this is potentially more serious than it looks.
Any url called will be identified by the cookie of the current user.
What if the current user has admin status? And the url does someting there?
Well, it's still a theory but there will always be an asshole finding a leak there.
So I guess CodeXPs workaround is something everybody should use.
It will not work on systems where file handling of urls is disabled but then - no pictures is still better than no database smile

Btw I tried to hack myself with that method and it didn't work sad

bouhh bouhhh very bad self hacker ! smile

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

Tobi wrote:

I think this is potentially more serious than it looks.
Any url called will be identified by the cookie of the current user.
What if the current user has admin status? And the url does someting there?
Well, it's still a theory but there will always be an asshole finding a leak there.
So I guess CodeXPs workaround is something everybody should use.
It will not work on systems where file handling of urls is disabled but then - no pictures is still better than no database smile

Btw I tried to hack myself with that method and it didn't work sad

Try creating a directory in your PunBB forum folder named something like "test.jpg", then create a index.php file with the following content:

<?php 
header("Location: http://<yourdomain.com>/login.php?action=out&id=<your punbb userid>"); 
exit; 
?>

Then try posting it & refresh the page wink

9 (edited by Tobi 2005-08-22 17:32)

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

No.
That's no real exploit.
I mean for this you need access to the board folder AND you have to know your userid.
This is not possible for people from the outside.

What I was trying was to do that from a remote folder on another machine and withoutr the userid.
If this is not possible at all then we don't have a leak smile

Your version is more like going to my board directory in the shell and type
# rm -Rf ./*
smile

It doesn't prove that the board is insecure...

The German PunBB Site:
PunBB-forum.de

10 (edited by CodeXP 2005-08-23 14:29)

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

Oh, and about my previous method.. It works very well provided you can use it, but it will slow things down a bit if there's a lot of images in a post (after all, it will have to check each of them).

Here's a better method that adds the benefit of caching remote images for as longs as you want smile

1. Open includes/parser.php

2. Find, around line 282 (the line number in my previous post was wrong):

//
// Turns an URL from the [img] tag into an <img> tag or a <a href...> tag
//
function handle_img_tag($url, $is_signature = false)
{
    global $lang_common, $pun_config, $pun_user;

3. Replace with:

//
// Turns an URL from the [img] tag into an <img> tag or a <a href...> tag
//
function handle_img_tag($url, $is_signature = false)
{
    global $lang_common, $pun_config, $pun_user;
    
    $replace = array('%20',' '); // We don't want spaces in our filenames
    $file = basename(str_replace($replace, '_', $url)); // Get remote filename, excluding pathname
    $expire = '259200'; // How long should we wait to download the image again? Defaults to 3 days.
    $hash = @md5($url); // Generate a MD5 hash of the file(s) URL. Helps prevent multiple copies of the same file.
    $localfile = 'cache/img/'.$file.''; // This is the temp. filename of the local cached copy.
    
    if(file_exists('cache/img/'.$hash.'_'.$file.'') && (time()-filemtime('cache/img/'.$hash.'_'.$file.'') < $expire)) { // Check it image exists, and if it's expired.
        $url = 'cache/img/'.$hash.'_'.$file.''; // Local copy is OK, and not expired, thus we provide don't need to do anything more right now.
    } else {
        $fh = @fopen($localfile , 'w' ); // Prepare for writing
        $remote = @file_get_contents($url); // Get the contents of the remote file
        @fwrite ($fh, $remote); // Write the new file...
        @fclose ($fh); // ...and now we close it.
        rename($localfile, 'cache/img/'.$hash.'_'.$file.''); // The temp file is now uploaded, so let's just rename it before we continue
        $secure = @getimagesize('cache/img/'.$hash.'_'.$file.''); // Check the image dimensions. If we can't find them, it's not an image!
            if($secure == FALSE) {
                @unlink('cache/img/'.$hash.'_'.$file.''); // The file was not an image, so we will have to delete it for security reasons.
                $url = 'img/warning.png'; // We will also provide a warning image. This will show up for any invalid images, or even missing ones.
            } else {
                $url = 'cache/img/'.$hash.'_'.$file.''; // This is a valid image, so we provide the user with a cached copy.
            }
    }

4. Create the following folder: cache/img & chmod it to 777

5. Create an .htaccess file in above folder with the following content:

<Limit GET POST>
Order Allow,Deny
Allow from All
</Limit>

6. Create a image with your warning text, named warning.png & upload it to your img directory.

7. Save & upload.

This will be a *lot* faster than my previous "fix", seeing as files are cached and only local copies will be checked each X number of days smile

Edit: Fixed script.

11

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

Tobi wrote:

No.
That's no real exploit.
I mean for this you need access to the board folder AND you have to know your userid.
This is not possible for people from the outside.

What I was trying was to do that from a remote folder on another machine and withoutr the userid.
If this is not possible at all then we don't have a leak smile

Your version is more like going to my board directory in the shell and type
# rm -Rf ./*
smile

It doesn't prove that the board is insecure...

Oh, absolutely not, but better safe than sorry I say wink

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

am I want to know how and where to enable [img] in my signatures ?

13

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

Pos3idon wrote:

am I want to know how and where to enable [url]in my signatures ?

That's not really related to this topic, but you'll find it in your admin panel, under permissions.

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

He said [img]. not URL

15

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

I think this can be semi-important thing about user uploaded avatars: http://securityfocus.com/archive/1/4143 … 0/threaded

Allthough it wouldn't work when user normaly views posts, but if person uploads malicious avatar file and send link to it (which looks something like host.com/punbb/avatars..), someone may think it's safe 'cause the image is on the forum host site and clicks the link...

Connorhd wrote:

surely browsers won't execute image files as html hmm

Unfortunately IE does...

timo

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

Rickard said he was going to take a look at it

17

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

Hm.. nice bag smile

Hm... every pixel has it's own destiny

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

Smartys wrote:

Rickard said he was going to take a look at it

I have and PunBB is vulnerable. However, so is pretty much every other web application out there that allows you to upload images. I have a fix, but I'm not sure I want to release 1.2.10 just yet. If you guys are ok with it, I can package it up and release it tomorrow. I have a few other fixes in store as well.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

19

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

Rickard: I'm sorry, but what is it you'll be releasing today? Just a fix or 1.2.10?

I want to know since i'm about to make a fresh install and if you're just about to release 1.2.10 i might aswell wait a day or two.

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

I don't think I'll be releasing anything today. I was kind of asking you guys what you wanted me to do. If anything, it will be 1.2.10.

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

If there is a serious security breach, then yes an update is needed.

Re: BBCode [IMG] [/IMG ] Tag Vulnerability

Jérémie wrote:

If there is a serious security breach, then yes an update is needed.

Well, it's semi-serious smile

"Programming is like sex: one mistake and you have to support it for the rest of your life."