Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-16869

Bots can add unlimited topic watches due to incorrect checks

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.2.11, 3.3.4
    • Fix Version/s: None
    • Component/s: Notification System
    • Labels:
      None

      Description

      This will not happen in a default installation of phpBB, but only because the prosilver template guards emitting the U_WATCH_TOPIC link with a not S_IS_BOT check, which is not an adequate safeguard and only masks the actual bug. A template without that check will leak functioning watch topic links to bots.

      This happens because the check in watch_topic_forum to stop unregistered users from adding watches is $user_id != ANONYMOUS, but the check in viewtopic.php and viewforum.php to populate the notify_status field that gets passed to watch_topic_forum is (correctly) $user->data['is_registered'], which excludes bot accounts.

      A cool thing about this bug is that since (1) there is no unique key constraint on the (topic_id, user_id) tuple the database for TOPICS_WATCH_TABLE, (2) link hashes have no time- or nonce-component to prevent replaying the same operation, and (3) watching topics violates HTTP spec by using a GET operation for a non-nullipotent operation, once a spider gets ahold of a watch topic link, it will keep periodically re-checking these URLs for updates, and each time this will add a fresh entry to the watch table.

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            Snover Snover
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated: