Topic: BBCode [IMG] [/IMG ] Tag Vulnerability
See this message: http://lists.grok.org.uk/pipermail/full … 36348.html
Question: Is there any vulnerability in PunBB's BBcode ?
[no signature]
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
Like me : don't activate IMG sig 
I think PunBB has not this problem (phpBB is a worm hole )
- Connorhd
- Former PunBB Developer
- Offline
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
Rod: its nothing to do with signatures its just [img] tags, surely browsers won't execute image files as html 
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
Connorhd wrote:
Rod: its nothing to do with signatures its just [url]tags, surely browsers won't execute image files as html
anyway, people use yet phpBB, its their problem (about security)
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
I just tested this with my local PunBB installation, and it's certainly possible to e.g. log a user out by just naming a folder something like "test.jpg", then add a index file that logs you out.
It probably can't do much harm though, but here's a little fix that takes care of the problem permanently. I don't know if it'll work on every server, but it works on mine very well
Here's how to do it.
Open includes/parser.php
Find, around line 293:
//
// Turns an URL from the [img] tag into an <img> tag or a <a href...> tag
//
function handle_img_tag($url, $is_signature = false)
{
global $lang_common, $pun_config, $pun_user;After, add:
if(@getimagesize($url) == FALSE)
$url = 'img/warning.png';Just upload a warning image named "warning.png" to your img folder.
This tweak just checks if PHP can read the images filesize. If it can't, well, then it's not an image and should not be allowed.
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
I think this is potentially more serious than it looks.
Any url called will be identified by the cookie of the current user.
What if the current user has admin status? And the url does someting there?
Well, it's still a theory but there will always be an asshole finding a leak there.
So I guess CodeXPs workaround is something everybody should use.
It will not work on systems where file handling of urls is disabled but then - no pictures is still better than no database
Btw I tried to hack myself with that method and it didn't work 
The German PunBB Site:
PunBB-forum.de
PunBB-forum.de
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
Tobi wrote:
I think this is potentially more serious than it looks.
Any url called will be identified by the cookie of the current user.
What if the current user has admin status? And the url does someting there?
Well, it's still a theory but there will always be an asshole finding a leak there.
So I guess CodeXPs workaround is something everybody should use.
It will not work on systems where file handling of urls is disabled but then - no pictures is still better than no databaseBtw I tried to hack myself with that method and it didn't work
bouhh bouhhh very bad self hacker !
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
Tobi wrote:
I think this is potentially more serious than it looks.
Any url called will be identified by the cookie of the current user.
What if the current user has admin status? And the url does someting there?
Well, it's still a theory but there will always be an asshole finding a leak there.
So I guess CodeXPs workaround is something everybody should use.
It will not work on systems where file handling of urls is disabled but then - no pictures is still better than no databaseBtw I tried to hack myself with that method and it didn't work
Try creating a directory in your PunBB forum folder named something like "test.jpg", then create a index.php file with the following content:
<?php
header("Location: http://<yourdomain.com>/login.php?action=out&id=<your punbb userid>");
exit;
?>Then try posting it & refresh the page 
9 2005-08-22 17:32 (edited by Tobi 2005-08-22 17:32)
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
No.
That's no real exploit.
I mean for this you need access to the board folder AND you have to know your userid.
This is not possible for people from the outside.
What I was trying was to do that from a remote folder on another machine and withoutr the userid.
If this is not possible at all then we don't have a leak
Your version is more like going to my board directory in the shell and type
# rm -Rf ./*
It doesn't prove that the board is insecure...
The German PunBB Site:
PunBB-forum.de
PunBB-forum.de
10 2005-08-22 17:37 (edited by CodeXP 2005-08-23 14:29)
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
Oh, and about my previous method.. It works very well provided you can use it, but it will slow things down a bit if there's a lot of images in a post (after all, it will have to check each of them).
Here's a better method that adds the benefit of caching remote images for as longs as you want
1. Open includes/parser.php
2. Find, around line 282 (the line number in my previous post was wrong):
//
// Turns an URL from the [img] tag into an <img> tag or a <a href...> tag
//
function handle_img_tag($url, $is_signature = false)
{
global $lang_common, $pun_config, $pun_user;3. Replace with:
//
// Turns an URL from the [img] tag into an <img> tag or a <a href...> tag
//
function handle_img_tag($url, $is_signature = false)
{
global $lang_common, $pun_config, $pun_user;
$replace = array('%20',' '); // We don't want spaces in our filenames
$file = basename(str_replace($replace, '_', $url)); // Get remote filename, excluding pathname
$expire = '259200'; // How long should we wait to download the image again? Defaults to 3 days.
$hash = @md5($url); // Generate a MD5 hash of the file(s) URL. Helps prevent multiple copies of the same file.
$localfile = 'cache/img/'.$file.''; // This is the temp. filename of the local cached copy.
if(file_exists('cache/img/'.$hash.'_'.$file.'') && (time()-filemtime('cache/img/'.$hash.'_'.$file.'') < $expire)) { // Check it image exists, and if it's expired.
$url = 'cache/img/'.$hash.'_'.$file.''; // Local copy is OK, and not expired, thus we provide don't need to do anything more right now.
} else {
$fh = @fopen($localfile , 'w' ); // Prepare for writing
$remote = @file_get_contents($url); // Get the contents of the remote file
@fwrite ($fh, $remote); // Write the new file...
@fclose ($fh); // ...and now we close it.
rename($localfile, 'cache/img/'.$hash.'_'.$file.''); // The temp file is now uploaded, so let's just rename it before we continue
$secure = @getimagesize('cache/img/'.$hash.'_'.$file.''); // Check the image dimensions. If we can't find them, it's not an image!
if($secure == FALSE) {
@unlink('cache/img/'.$hash.'_'.$file.''); // The file was not an image, so we will have to delete it for security reasons.
$url = 'img/warning.png'; // We will also provide a warning image. This will show up for any invalid images, or even missing ones.
} else {
$url = 'cache/img/'.$hash.'_'.$file.''; // This is a valid image, so we provide the user with a cached copy.
}
}4. Create the following folder: cache/img & chmod it to 777
5. Create an .htaccess file in above folder with the following content:
<Limit GET POST>
Order Allow,Deny
Allow from All
</Limit>6. Create a image with your warning text, named warning.png & upload it to your img directory.
7. Save & upload.
This will be a *lot* faster than my previous "fix", seeing as files are cached and only local copies will be checked each X number of days
Edit: Fixed script.
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
Tobi wrote:
No.
That's no real exploit.
I mean for this you need access to the board folder AND you have to know your userid.
This is not possible for people from the outside.What I was trying was to do that from a remote folder on another machine and withoutr the userid.
If this is not possible at all then we don't have a leakYour version is more like going to my board directory in the shell and type
# rm -Rf ./*It doesn't prove that the board is insecure...
Oh, absolutely not, but better safe than sorry I say
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
am I want to know how and where to enable [img] in my signatures ?
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
Pos3idon wrote:
am I want to know how and where to enable [url]in my signatures ?
That's not really related to this topic, but you'll find it in your admin panel, under permissions.
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
He said [img]. not URL
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
I think this can be semi-important thing about user uploaded avatars: http://securityfocus.com/archive/1/4143 … 0/threaded
Allthough it wouldn't work when user normaly views posts, but if person uploads malicious avatar file and send link to it (which looks something like host.com/punbb/avatars..), someone may think it's safe 'cause the image is on the forum host site and clicks the link...
Connorhd wrote:
surely browsers won't execute image files as html
Unfortunately IE does...
timo
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
Rickard said he was going to take a look at it
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
Hm.. nice bag
Hm... every pixel has it's own destiny
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
Smartys wrote:
Rickard said he was going to take a look at it
I have and PunBB is vulnerable. However, so is pretty much every other web application out there that allows you to upload images. I have a fix, but I'm not sure I want to release 1.2.10 just yet. If you guys are ok with it, I can package it up and release it tomorrow. I have a few other fixes in store as well.
"Programming is like sex: one mistake and you have to support it for the rest of your life."
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
Rickard: I'm sorry, but what is it you'll be releasing today? Just a fix or 1.2.10?
I want to know since i'm about to make a fresh install and if you're just about to release 1.2.10 i might aswell wait a day or two.
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
I don't think I'll be releasing anything today. I was kind of asking you guys what you wanted me to do. If anything, it will be 1.2.10.
"Programming is like sex: one mistake and you have to support it for the rest of your life."
- Jérémie
- PunBB Donor
- Offline
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
If there is a serious security breach, then yes an update is needed.
Re: BBCode [IMG] [/IMG ] Tag Vulnerability
Jérémie wrote:
If there is a serious security breach, then yes an update is needed.
Well, it's semi-serious
"Programming is like sex: one mistake and you have to support it for the rest of your life."