BBpress XSS vulnerability

BBpress vulnerability

I was wrong about BBpress not having a single vulnerability during May 2006 - May 2007. Now it has one.

As Ory Segal pointed out in his comment on the forum vulnerabilities post , the BBpress authentication page (bb-login.php) is home of a XSS vulnerability. A few days ago we’ve had an interesting conversation on this topic and I’ll post here the conclusions

Ory Segal: 

It’s rather simple, and seems to be working on the installation I have here in front of me:
 
GET /bb-login.php?re="><script>alert(1);</script> HTTP/1.0
Host: www.some.site
Referer: http://www.some.site/
 
The tricky part here is that the Referer header needs to point to http://www.some.site/ - or any other path which belongs to the host on which BBPress is installed on.
 
If there Referer is anything but this, it’ll disregard ths value of the "re" parameter - this can be seen in the code at:
 
if ( 0 !== strpos($re, bb_get_option( ‘uri’ )) )
$re = $ref . $re;
Now, one might argue if this is exploitable, since you can’t fully control the HTTP Referer header, but there are several ways around this:
 
1) You locate a script on BBPress which forces a redirection, and then use it as the launch pad for the attack - I haven’t validated if such a script exists
 
2) You use some other technique, which allows you to control the HTTP Referer header, for example: http://www.cgisecurity.com/lib/XmlHTTPRequest.shtml , or http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00069.html

Indeed, the refferal parameter ($re) is not sanitized properly and it’s used to render the page template:

bb_load_template( ‘login.php’, array(’re’, ‘user_exists’, ‘user_login’, ‘redirect_to’, ‘ref’) );

The login.php template simply returns the value of $re as a hidden value : 

<td><input name="re" type="hidden" value="<?php echo $re; ?>" />

So basically Ory was right :) and I have updated the Top 10 Open Source Forums - 12 Months of Vulnerabilities post

 P.S: Read more about  memory cards



Thank you for reading this post. You can now Read Comments (5) or Leave A Trackback. Print This Post Print This Post

Post Info

This entry was posted on Thursday, June 7th, 2007 .

Tagged with: ,

You can follow any responses to this entry through the Comments Feed. You can Leave A Comment, or A Trackback.



Previous Post: Up To Date Security Tools Watchlist »
Next Post: New European ICT Security Standards Roadmap »

Read More

Related Reading:

Latest Posts:

5 Responses to “BBpress XSS vulnerability


Subscribe without commenting


Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.