I was wrong about BBpress not having a single vulnerability during May 2006 - May 2007. Now it has one.

As Ory Segal pointed out in his comment on the forum vulnerabilities post , the BBpress authentication page (bb-login.php) is home of a XSS vulnerability. A few days ago we’ve had an interesting conversation on this topic and I’ll post here the conclusions

Ory Segal: 

It’s rather simple, and seems to be working on the installation I have here in front of me:
 
GET /bb-login.php?re="><script>alert(1);</script> HTTP/1.0
Host: www.some.site
Referer: http://www.some.site/
 
The tricky part here is that the Referer header needs to point to http://www.some.site/ - or any other path which belongs to the host on which BBPress is installed on.
 
If there Referer is anything but this, it’ll disregard ths value of the "re" parameter - this can be seen in the code at:
 
if ( 0 !== strpos($re, bb_get_option( ‘uri’ )) )
$re = $ref . $re;
Now, one might argue if this is exploitable, since you can’t fully control the HTTP Referer header, but there are several ways around this:
 
1) You locate a script on BBPress which forces a redirection, and then use it as the launch pad for the attack - I haven’t validated if such a script exists
 
2) You use some other technique, which allows you to control the HTTP Referer header, for example: http://www.cgisecurity.com/lib/XmlHTTPRequest.shtml , or http://www.webappsec.org/lists/websecurity/archive/2006-07/msg00069.html

Indeed, the refferal parameter ($re) is not sanitized properly and it’s used to render the page template:

bb_load_template( ‘login.php’, array(’re’, ‘user_exists’, ‘user_login’, ‘redirect_to’, ‘ref’) );

The login.php template simply returns the value of $re as a hidden value : 

<td><input name="re" type="hidden" value="<?php echo $re; ?>" />

So basically Ory was right and I have updated the Top 10 Open Source Forums - 12 Months of Vulnerabilities post

 P.S: Read more about  memory cards

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!