[PHPBB3-9903] Execute javascript in [flash=] BBCode

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 3.0.7-PL1, 3.0.8-RC1
Fix Version/s: 3.0.8
Component/s: Posting
Labels:
None

Fix URL:
https://github.com/phpbb/phpbb3/commit/2831a3a9a97c1ee8b714c8034c64379eff90faa0

Description

You can execute javascript by posting it into the flash-bbcode.
Example:

[flash=1,1]javascript:alert(/Guess what?/);[/flash]

For more details see:

https://forum.antichat.ru/showpost.php?p=1775767

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Oleg [X] (Inactive) added a comment - 05/Apr/12 3:21 AM

This ticket is linked to from changelog, can we make it public?

Also what is the exact scope of this vulnerability? Is flash bbcode available by default?

Show

Oleg [X] (Inactive) added a comment - 05/Apr/12 3:21 AM This ticket is linked to from changelog, can we make it public? Also what is the exact scope of this vulnerability? Is flash bbcode available by default?

Hide

Permalink

Igor Wiedler [X] (Inactive) added a comment - 05/Apr/12 8:15 AM

Yes, it is enabled by default; and yes, imo we should make it public.

Show

Igor Wiedler [X] (Inactive) added a comment - 05/Apr/12 8:15 AM Yes, it is enabled by default; and yes, imo we should make it public.

Hide

Permalink

Joas Schilling added a comment - 05/Apr/12 10:53 AM

Well it is activated by default, but permissions for "Limited Access" and "Standard Access" do not allow using it. So it's kind of only activated for Moderators and Administrators by default.

Show

Joas Schilling added a comment - 05/Apr/12 10:53 AM Well it is activated by default, but permissions for "Limited Access" and "Standard Access" do not allow using it. So it's kind of only activated for Moderators and Administrators by default.

Hide

Permalink

Andreas Fischer added a comment - 05/Apr/12 12:30 PM

Made public. Why does this not have an assignee?

Show

Andreas Fischer added a comment - 05/Apr/12 12:30 PM Made public. Why does this not have an assignee?

Hide

Permalink

Oleg [X] (Inactive) added a comment - 05/Apr/12 2:04 PM

So then the vulnerability can only be exploited by moderators or admins in a default install, am I understanding it correctly?

Show

Oleg [X] (Inactive) added a comment - 05/Apr/12 2:04 PM So then the vulnerability can only be exploited by moderators or admins in a default install, am I understanding it correctly?

Hide

Permalink

Andreas Fischer added a comment - 05/Apr/12 2:14 PM

Yes, I think so.

Show

Andreas Fischer added a comment - 05/Apr/12 2:14 PM Yes, I think so.

Hide

Permalink

brunoais added a comment - 15/Apr/12 1:24 PM

The BBCode tag was not executed for the given code. It posted as literal text.

Show

brunoais added a comment - 15/Apr/12 1:24 PM The BBCode tag was not executed for the given code. It posted as literal text.

People

Assignee:

Nils Adermann

Reporter:

Joas Schilling

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

15/Nov/10 9:38 PM

Updated:

15/Apr/12 1:24 PM

Resolved:

05/Apr/12 2:32 PM

Details

Description

Activity

People

Dates

Development