Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10047

Session ID always included in URL on posting.php

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.9-RC1
    • Component/s: Sessions
    • Labels:
      None
    • Environment:
      PHP : 5.2.3 , MYSQL:5.0.45
      OP ; Win 7 , Browser : FireFox ..

      Description

      By this serious bug the attacker can steal the sid of the victim . by checking the referer URL ..
      In popular topics , the number of victims maybe hundreds !!!
      How to do it ??!
      As we can see in the attached image file , the sid obtained the the URL in many places , after actions like browsing the post before sending it , of browsing the PMs ..

      Then if you posted an URL such as : anysite/anything/image.php that returns an IMAGE that should be viewed in the post , but before the request has finished , the image.php file will check and store the REFERER URL of the member who Clicked BROWS button that contains the SID !! ..

      EX:
      Try to post an image via bbcode : [img]yousite/image.php[/img] that image.php does what i mentioned above.

      Every member who clicks Brows button before posting, will se the previous posts are loaded below the posting form , and so the post that contains our file "image.php" will be loaded too , and then a request to "image.php" will be made ,then the referer that contains the SID was sent too with the request .
      I call this BUG "O-C-K" or One Click Kill ..

      Thanks a lot ...
      BlzOfHK
      Bye..

        Attachments

          Activity

            People

            • Assignee:
              bantu Andreas Fischer
              Reporter:
              blzofhk blzofhk
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: