Multiple vulnerabilities in Topic Calendar 1.0.1 for phpBB

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Multiple vulnerabilities in Topic Calendar 1.0.1 for phpBB
From: "Alberto Trivero" <trivero@xxxxxxxx>
Date: Thu, 24 Mar 2005 01:14:23 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

*********************************************************************
* CODEBUG Labs
* Advisory #8
* Title: Multiple vulnerabilities in Topic Calendar 1.0.1 for phpBB
* Author: Alberto Trivero
* English Version: Alberto Trivero
* Product: Topic Calendar 1.0.1
* Type: Multiple Vulnerabilities
* Web: http://www.codebug.org/
*********************************************************************


--) Software Page (www.phpbb.com/phpBB/viewtopic.php?t=150857)

Topic Calendar is a quite widespread MOD for phpBB all version that will add
a calendar
to the board, using topics as event. The authorizations are managed at
forums, groups
and users level, as the standard phpBB auths.


--) Full Path Disclosure

If phpBB is running on a Microsoft IIS Server, it's possible to obtain the
full path by
sending simples requests like these:

   http://www.example.com/phpbb/calendar_scheduler.php%5C
   http://www.example.com/phpbb/calendar_scheduler.php?d=-1

Note that these requests doesn't works under the others webservers like
Apache.


--) Cross-Site Scripting (XSS)

Let's look at code from calendar_scheduler.php at line 82:

   <?
   ...
   if ( isset($HTTP_POST_VARS['start']) || isset($HTTP_GET_VARS['start']) )
   {
     $start = isset($HTTP_POST_VARS['start']) ? $HTTP_POST_VARS['start'] :
$HTTP_GET_VARS['start'];
   }
   ...
   ?>

and at line 375:

   <?
   ...
   $s_hidden_fields .= '<input type="hidden" name="start" value="' . $start
. '" />';
   ...
   ?>

$start is a variable that can be controlled by a remote user, and, as we can
see, there
isn't any control on she, so anyone con inject some HTML code like:

   "><script>alert(document.cookie)</script>

that will change the HTML line in:

   <input type="hidden" name="start"
value=""><script>alert(document.cookie)</script>" />

executing the <script>...</script> tag that show, in this case, the cookies.
This is the complete URL:


http://www.example.com/phpbb/calendar_scheduler.php?start=%22%3E%3Cscript%3E
alert(document.cookie)%3C/script%3E


--) Patch

To fix the XSS bug we can use the function intval() at line 85 of
calendar_scheduler.php:

   <?
   ...
   if ( isset($HTTP_POST_VARS['start']) || isset($HTTP_GET_VARS['start']) )
   {
     $start = isset($HTTP_POST_VARS['start']) ? $HTTP_POST_VARS['start'] :
$HTTP_GET_VARS['start'];
     $start = intval($start)
   }
   ...
   ?>



*********************************************************************
        http://www.codebug.org/
*********************************************************************

Prev by Date: RE: Details of Sybase ASE bugs withheld
Next by Date: Black Hat Briefings & Trainings: Registration now open!
Previous by thread: [SECURITYREASON.COM] phpSysInfo 2.3 Multiple vulnerabilities cXIb8O3.11
Next by thread: Hashcash in mail (was: New Whitepaper: Anti Brute Force Resource Metering)
Index(es):
- Date
- Thread