[Secure-testing-team] Re: Bug#402140: SA23283: phpbb2: privmsg.php
Cross-Site Request Forgery and Cross-Site Scripting
Thijs Kinkhorst
thijs at debian.org
Tue Dec 19 01:23:26 CET 2006
On Fri, 2006-12-08 at 17:55 +0100, Thijs Kinkhorst wrote:
> On Fri, 2006-12-08 at 10:02 -0300, Alex de Oliveira Silva wrote:
> > 1) The application allows users to send messages via HTTP requests
> > without performing any validity checks to verify the request. This can
> > be exploited to send
> > messages to arbitrary users by e.g. tricking a target user into visiting a malicious website.
> >
> > 2) Input passed to the form field "Message body" in privmsg.php is not
> > properly sanitised before it is returned to the user when sending
> > messages to a
> > non-existent user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
>
> Thank you for your report. I will wait a small bit to see whether and
> how upstream responds to this.
Upstream CVS commits suggests that a new release is in preparation, but
it's not quite there yet.
Concerning the two vulnerabilities:
The second one ( CVE-2006-6421 ) is simple XSS and the patch is trivial.
I've extracted it from upstream and applied it in our package
repository. Consider it "pending".
Sarge is NOT vulnerable to this item; please mark it as such. Thanks.
The first one ( CVE-2006-6508 ) seems to concern cross site request
forgery. Here I need help from the security team: is XSRF actually
something we're fixing in security updates? The patch will be quite
invasive for that, touching many files, and I seriously doubt whether
any XSRF is adequately fixable at all.
For unstable and testing, I'm tempted to wait a little bit to see what
upstream releases (they are not that communicative about it). If it
contains only security-related changes, I prefer to upload that to sid
+etch, including the xsrf "fix", just to take the extra precaution. If
not, I can easily upload only the xss-fix.
Regarding sarge: I'd like to hear the security team's opinion on XSRF
and whether it must be fixed.
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20061219/5cf6fa03/attachment.pgp
More information about the Secure-testing-team
mailing list