Bugtraq mailing list archives
Re: phpBB 2.0.8a and lower - IP spoofing vulnerability
From: Xin LI <delphij () frontfree net>
Date: Wed, 21 Apr 2004 09:10:55 +0800
On Tue, Apr 20, 2004 at 04:15:48PM +0400, 3APA3A wrote:
--Monday, April 19, 2004, 4:01:29 AM, you wrote to bugtraq () securityfocus com: RR> the users IP address in the common.php script. This issue is caused RR> by blind trust of the X-Forwarded-For HTTP header. A remote attacker This issue is very common for different BBs (for example Iconboard has same problem), in addition to IP spoofing it's usually possible to cause crossite scripting by inserting script into forgery X-Forwarded-For header. --
The situation turns out to be more serious because phpBB (up to and including 2.0.8a) is affected by another potential resource exhaustion attack, by exploiting the limitation on the sessions table. I have a preliminary patch as followed. It was sent to security () phpbb com a month ago and I received no response from them (also, the description of the vulnerablity, of course): Index: includes/sessions.php =================================================================== RCS file: /cvsroot/phpbb/phpBB2/includes/Attic/sessions.php,v retrieving revision 1.58.2.10 diff -u -r1.58.2.10 sessions.php --- includes/sessions.php 5 Apr 2003 12:04:33 -0000 1.58.2.10 +++ includes/sessions.php 17 Apr 2004 07:48:20 -0000 @@ -147,7 +147,7 @@ $sql = "INSERT INTO " . SESSIONS_TABLE . " (session_id, session_user_id, session_start, session_time, session_ip, session_page, session_logged_in) VALUES ('$session_id', $user_id, $current_time, $current_time, '$user_ip', $page_id, $login)"; - if ( !$db->sql_query($sql) ) + if ( $user_id != ANONYMOUS && !$db->sql_query($sql) ) { message_die(CRITICAL_ERROR, 'Error creating new session', '', __LINE__, __FILE__, $sql); } @@ -380,4 +380,4 @@ return $url; } -?> \ No newline at end of file +?> The concept here is simple. We do not really need to store sessions for anonymous users. Remote attackers can attack a forum without Wang's patch by exploiting this vulnerablity and result in a Denial of Service attack by fooling the forum to store many anonymous 'visitors' in sessions table. This vulnerablity does not affect the development version of phpBB. -- Xin LI <delphij frontfree net> http://www.delphij.net/ See complete headers for GPG key and other information.
Attachment:
_bin
Description:
Current thread:
- phpBB 2.0.8a and lower - IP spoofing vulnerability Ready Response (Apr 19)
- Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Shaun Colley (Apr 19)
- Re: phpBB 2.0.8a and lower - IP spoofing vulnerability 3APA3A (Apr 20)
- Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Xin LI (Apr 21)
- Re: phpBB 2.0.8a and lower - IP spoofing vulnerability BlueRaven (Apr 28)
- Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Xin LI (Apr 29)
- Re: phpBB 2.0.8a and lower - IP spoofing vulnerability Xin LI (Apr 21)