Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10047

Session ID always included in URL on posting.php

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.0.9-RC1
    • Component/s: Sessions
    • Labels:
      None
    • Environment:
      PHP : 5.2.3 , MYSQL:5.0.45
      OP ; Win 7 , Browser : FireFox ..

      Description

      By this serious bug the attacker can steal the sid of the victim . by checking the referer URL ..
      In popular topics , the number of victims maybe hundreds !!!
      How to do it ??!
      As we can see in the attached image file , the sid obtained the the URL in many places , after actions like browsing the post before sending it , of browsing the PMs ..

      Then if you posted an URL such as : anysite/anything/image.php that returns an IMAGE that should be viewed in the post , but before the request has finished , the image.php file will check and store the REFERER URL of the member who Clicked BROWS button that contains the SID !! ..

      EX:
      Try to post an image via bbcode : [img]yousite/image.php[/img] that image.php does what i mentioned above.

      Every member who clicks Brows button before posting, will se the previous posts are loaded below the posting form , and so the post that contains our file "image.php" will be loaded too , and then a request to "image.php" will be made ,then the referer that contains the SID was sent too with the request .
      I call this BUG "O-C-K" or One Click Kill ..

      Thanks a lot ...
      BlzOfHK
      Bye..

      1. O-C-K.rar
        70 kB
        blzofhk
      1. OCK.png
        74 kB

        Activity

        Hide
        bantu Andreas Fischer added a comment -

        You seem to be missing a few things here.
        a) In phpBB the session id is tied to an IP address, or at least an IP address range.
        b) When cookies are on (which is mostly the case), the session id is not appended to the GET request.
        c) If you fear information disclosure to third parties, you can disable loading objects from foreign sites, etc.

        Show
        bantu Andreas Fischer added a comment - You seem to be missing a few things here. a) In phpBB the session id is tied to an IP address, or at least an IP address range. b) When cookies are on (which is mostly the case), the session id is not appended to the GET request. c) If you fear information disclosure to third parties, you can disable loading objects from foreign sites, etc.
        Hide
        bantu Andreas Fischer added a comment -

        Attached content of O-C-K.rar. No need to use a container, especially not RAR.

        Show
        bantu Andreas Fischer added a comment - Attached content of O-C-K.rar. No need to use a container, especially not RAR.
        Hide
        blzofhk blzofhk added a comment -

        Thank you for your reply ..

        "a) In phpBB the session id is tied to an IP address, or at least an IP address range." .. I see , but not every forum will use IP validation .

        "b) When cookies are on (which is mostly the case), the session id is not appended to the GET request."
        ,,, mmmm, no ! , In previous versions sid is contained in URL even if cookies are enables .

        Bye .....

        Show
        blzofhk blzofhk added a comment - Thank you for your reply .. "a) In phpBB the session id is tied to an IP address, or at least an IP address range." .. I see , but not every forum will use IP validation . "b) When cookies are on (which is mostly the case), the session id is not appended to the GET request." ,,, mmmm, no ! , In previous versions sid is contained in URL even if cookies are enables . Bye .....
        Hide
        bantu Andreas Fischer added a comment -

        I can confirm that the SID is included in the request made to posting.php when previewing a post.

        Show
        bantu Andreas Fischer added a comment - I can confirm that the SID is included in the request made to posting.php when previewing a post.
        Hide
        blzofhk blzofhk added a comment -

        "I can confirm that the SID is included in the request made to posting.php when previewing a post"

        So i guess it is a serious problem

        ...

        Show
        blzofhk blzofhk added a comment - "I can confirm that the SID is included in the request made to posting.php when previewing a post" So i guess it is a serious problem ...
        Hide
        rxu Ruslan Uzdenov added a comment -

        Actually you don't even need some special script. By putting URL which links to any invalid location on your server you're able to get referrers via server error log.

        Show
        rxu Ruslan Uzdenov added a comment - Actually you don't even need some special script. By putting URL which links to any invalid location on your server you're able to get referrers via server error log.
        Hide
        blzofhk blzofhk added a comment -

        "Actually you don't even need some special script. By putting URL which links to any invalid location on your server you're able to get referrers via server error log"

        No !
        I need a special script to return an image (via PHP GD ) .. to make it Un-doubtful ..

        Session ID is included when previewing PMs too .. (_)

        salaaaaam ..

        Show
        blzofhk blzofhk added a comment - "Actually you don't even need some special script. By putting URL which links to any invalid location on your server you're able to get referrers via server error log" No ! I need a special script to return an image (via PHP GD ) .. to make it Un-doubtful .. Session ID is included when previewing PMs too .. ( _ ) salaaaaam ..

          People

          • Assignee:
            bantu Andreas Fischer
            Reporter:
            blzofhk blzofhk
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development