Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9903

Execute javascript in [flash=] BBCode

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.0.7-PL1, 3.0.8-RC1
    • Fix Version/s: 3.0.8
    • Component/s: Posting
    • Labels:
      None

      Description

      You can execute javascript by posting it into the flash-bbcode.
      Example:

      [flash=1,1]javascript:alert(/Guess what?/);[/flash]

      For more details see:

      https://forum.antichat.ru/showpost.php?p=1775767

        Activity

        Hide
        Oleg Oleg [X] (Inactive) added a comment -

        This ticket is linked to from changelog, can we make it public?

        Also what is the exact scope of this vulnerability? Is flash bbcode available by default?

        Show
        Oleg Oleg [X] (Inactive) added a comment - This ticket is linked to from changelog, can we make it public? Also what is the exact scope of this vulnerability? Is flash bbcode available by default?
        Hide
        igorw Igor Wiedler [X] (Inactive) added a comment -

        Yes, it is enabled by default; and yes, imo we should make it public.

        Show
        igorw Igor Wiedler [X] (Inactive) added a comment - Yes, it is enabled by default; and yes, imo we should make it public.
        Hide
        nickvergessen Joas Schilling added a comment -

        Well it is activated by default, but permissions for "Limited Access" and "Standard Access" do not allow using it. So it's kind of only activated for Moderators and Administrators by default.

        Show
        nickvergessen Joas Schilling added a comment - Well it is activated by default, but permissions for "Limited Access" and "Standard Access" do not allow using it. So it's kind of only activated for Moderators and Administrators by default.
        Hide
        bantu Andreas Fischer added a comment -

        Made public. Why does this not have an assignee?

        Show
        bantu Andreas Fischer added a comment - Made public. Why does this not have an assignee?
        Hide
        Oleg Oleg [X] (Inactive) added a comment -

        So then the vulnerability can only be exploited by moderators or admins in a default install, am I understanding it correctly?

        Show
        Oleg Oleg [X] (Inactive) added a comment - So then the vulnerability can only be exploited by moderators or admins in a default install, am I understanding it correctly?
        Hide
        bantu Andreas Fischer added a comment -

        Yes, I think so.

        Show
        bantu Andreas Fischer added a comment - Yes, I think so.
        Hide
        brunoais brunoais added a comment -

        The BBCode tag was not executed for the given code. It posted as literal text.

        Show
        brunoais brunoais added a comment - The BBCode tag was not executed for the given code. It posted as literal text.

          People

          • Assignee:
            naderman Nils Adermann
            Reporter:
            nickvergessen Joas Schilling
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development