phpBB v3.0.8

No Image

The developers of the forum software phpBB have released a critical update that fixes numerous issues including a vulnerability in the CAPTCHA implementation. The most important part of the update however is to fix an XSS vulnerability on boards that allow Flash to be embedded using BBCode.

On WebKit based browsers like Safari or Chrome, as well as Opera, the flash BBCode can be used to execute JavaScript causing a cross site scripting vulnerability.

The fix they detail for 3.0.7 users is to go to line 354 of includes/message_parser.php and to add the following code:

$in = str_replace(' ', '%20', $in);
// Make sure $in is a URL.
if (!preg_match('#^' . get_preg_expression('url') . '$#i', $in) &&
    !preg_match('#^' . get_preg_expression('www_url') . '$#i', $in))
       return '[flash=' . $width . ',' . $height . ']' . $in . '[/flash]';

immediately before:

// Apply the same size checks on flash files as on images

As this is not a retroactive fix it will require owners of phpBB forums to scan previous posts for any that may be affected by this. In order to help with this task they have provided a handy script for uploading to your server which when run will display affected posts.

your comments - Post a comment

blog comments powered by Disqus