BBpress XSS vulnerability

BBpress vulnerability

I was wrong about BBpress not having a single vulnerability during May 2006 – May 2007. Now it has one.

As Ory Segal pointed out in his comment on the forum vulnerabilities post , the BBpress authentication page (bb-login.php) is home of a XSS vulnerability. A few days ago we’ve had an interesting conversation on this topic and I’ll post here the conclusions

Ory Segal: 

It’s rather simple, and seems to be working on the installation I have here in front of me:
 
GET /bb-login.php?re="><script>alert(1);</script> HTTP/1.0
Host: www.some.site
Referer: http://www.some.site/
 
The tricky part here is that the Referer header needs to point to http://www.some.site/ – or any other path which belongs to the host on which BBPress is installed on.
 
If there Referer is anything but this, it’ll disregard ths value of the "re" parameter – this can be seen in the code at:
 
if ( 0 !== strpos($re, bb_get_option( ‘uri’ )) )
$re = $ref . $re;
Now, one might argue if this is exploitable, since you can’t fully control the HTTP Referer header, but there are several ways around this:
 
1) You locate a script on BBPress which forces a redirection, and then use it as the launch pad for the attack – I haven’t validated if such a script exists
 
2) You use some other technique, which allows you to control the HTTP Referer header, for example: http://www.cgisecurity.com/lib/XmlHTTPRequest.shtml , or http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00069.html

Indeed, the refferal parameter ($re) is not sanitized properly and it’s used to render the page template:

bb_load_template( ‘login.php’, array(‘re’, ‘user_exists’, ‘user_login’, ‘redirect_to’, ‘ref’) );

The login.php template simply returns the value of $re as a hidden value : 

<td><input name="re" type="hidden" value="<?php echo $re; ?>" />

So basically Ory was right 🙂 and I have updated the Top 10 Open Source Forums – 12 Months of Vulnerabilities post

 P.S: Read more about  memory cards



Thank you for reading this post. You can now Read Comments (5) or Leave A Trackback. Print This Post Print This Post

5 Responses to “BBpress XSS vulnerability


Subscribe without commenting


Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge