Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-16869

Bots can add unlimited topic watches due to incorrect checks

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Minor
    • Resolution: Unresolved
    • 3.2.11, 3.3.4
    • None
    • Notification System
    • None

    Description

      This will not happen in a default installation of phpBB, but only because the prosilver template guards emitting the U_WATCH_TOPIC link with a not S_IS_BOT check, which is not an adequate safeguard and only masks the actual bug. A template without that check will leak functioning watch topic links to bots.

      This happens because the check in watch_topic_forum to stop unregistered users from adding watches is $user_id != ANONYMOUS, but the check in viewtopic.php and viewforum.php to populate the notify_status field that gets passed to watch_topic_forum is (correctly) $user->data['is_registered'], which excludes bot accounts.

      A cool thing about this bug is that since (1) there is no unique key constraint on the (topic_id, user_id) tuple the database for TOPICS_WATCH_TABLE, (2) link hashes have no time- or nonce-component to prevent replaying the same operation, and (3) watching topics violates HTTP spec by using a GET operation for a non-nullipotent operation, once a spider gets ahold of a watch topic link, it will keep periodically re-checking these URLs for updates, and each time this will add a fresh entry to the watch table.

      Attachments

        Activity

          People

            Unassigned Unassigned
            Snover Snover
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: