Thijs Kinkhorst
2006-Dec-19 01:42 UTC
[Secure-testing-team] Re: Bug#402140: SA23283: phpbb2: privmsg.php Cross-Site Request Forgery and Cross-Site Scripting
On Fri, 2006-12-08 at 17:55 +0100, Thijs Kinkhorst wrote:> On Fri, 2006-12-08 at 10:02 -0300, Alex de Oliveira Silva wrote: > > 1) The application allows users to send messages via HTTP requests > > without performing any validity checks to verify the request. This can > > be exploited to send > > messages to arbitrary users by e.g. tricking a target user into visiting a malicious website. > > > > 2) Input passed to the form field "Message body" in privmsg.php is not > > properly sanitised before it is returned to the user when sending > > messages to a > > non-existent user. This can be exploited to execute arbitrary HTML and script code in a user''s browser session in context of an affected site. > > Thank you for your report. I will wait a small bit to see whether and > how upstream responds to this.Upstream CVS commits suggests that a new release is in preparation, but it''s not quite there yet. Concerning the two vulnerabilities: The second one ( CVE-2006-6421 ) is simple XSS and the patch is trivial. I''ve extracted it from upstream and applied it in our package repository. Consider it "pending". Sarge is NOT vulnerable to this item; please mark it as such. Thanks. The first one ( CVE-2006-6508 ) seems to concern cross site request forgery. Here I need help from the security team: is XSRF actually something we''re fixing in security updates? The patch will be quite invasive for that, touching many files, and I seriously doubt whether any XSRF is adequately fixable at all. For unstable and testing, I''m tempted to wait a little bit to see what upstream releases (they are not that communicative about it). If it contains only security-related changes, I prefer to upload that to sid +etch, including the xsrf "fix", just to take the extra precaution. If not, I can easily upload only the xss-fix. Regarding sarge: I''d like to hear the security team''s opinion on XSRF and whether it must be fixed. Thijs -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20061219/5cf6fa03/attachment.pgp
Stefan Fritsch
2006-Dec-19 21:26 UTC
[Secure-testing-team] Re: Bug#402140: SA23283: phpbb2: privmsg.php Cross-Site Request Forgery and Cross-Site Scripting
On Tuesday 19 December 2006 01:23, Thijs Kinkhorst wrote:> The second one ( CVE-2006-6421 ) is simple XSS and the patch is > trivial. I''ve extracted it from upstream and applied it in our > package repository. Consider it "pending". > > Sarge is NOT vulnerable to this item; please mark it as such. > Thanks.Done. Cheers, Stefan