[bidibooum]

I've be notified for a bug in phpbb forum with the [img.] tag.

is that an update for dragonfly avalaible?

[bigern75]

bidibooum please enter your server specs in your user profile!

[bidibooum]

I use the latest dragonfly cms, and my webhosting is infomaniak.

[alva]

OS/Apache/MySQL/PHP/CPGNuke versions: *

[bidibooum]

I don't know if that correct...

but the informatiosn here are too
imu33.infomaniak.ch/info

[alva]

Many phpbb-issues don't apply to cpgbb. If one does then I'm pretty sure there will be an announcement in the Community Center or the Security Forum.

(To make your specs readily readible and understandable you could use a questionmark (?) for Apache, leave out PERL and switch orders for PHP and MySQL.)

[bidibooum]

:s

[pretzy]

change this

"bidibooum's server specs (Server OS / Apache / MySQL / PHP / CPG-Nuke)
Linux/4.4.2/5.008002/4.1.12/9.0.6.1"

to this

bidibooum's server specs (Server OS / Apache / MySQL / PHP / CPG-Nuke)
Linux/Apache?/4.1.12/4.4.2/9.0.6.1

[bidibooum]

ok thanks.

[bidibooum]

for the exploit here the source.

create a folder 'sig.jpg' on your webserver.
create a index.php page and putt this code in

Code:

<?php header("Location: http://yourwebsite/index.php?name=Your_Account&op=logout" ); exit; ?>

now, go to your website and insert

Code:

[img]http://yourwebsite/sig.jpg[/img] on a forum.

All visitor their visit your post is disconnected.

[alva]

I don't think you will find such code in Dragonfly Forums, or anywhere... Docs/f=url_redirect.html

[bidibooum]

I don't understand you.

[spacebar]

Any ideas on how to fix this?

[DJ Maze]

Fix is easy just remove the img from the post.
Akamu and i did talk about remote validation but this is just nuts.
Let me explain why.

Every submitted data must be split and not only the images but also archives and multimedia like flash needs to be validated.
The issue is that on each "view" request you must validate the remote content.
If we only did this on submit the remote website can always modify the file afterwards.

lets give me an example:

You submit the above mentioned img and the website verifies the image on submit. By checking the first 4 bytes of the content of yourwebsite/sig.jpg.
When verified and the data is submitted the owner of sig.jpg modifies it into a redirect.
The exploit is still there.

Solution:

Check the 4 bytes of the remote file on each "view" request.
The issue here is that your website first has to make a connection to the remote servers to check all remote images.
This will add a massive overhead on very regular visited websites.

Conclusion:

Just ignore this exploit since it will not do any damage anyway because Dragonfly needs the POST method for all important controls. This exploit only provides access to GET annoyancees.

If you are realy scared then just remove the [img] tag from the /includes/nbbcode.php file.
But do keep in mind this will make your website less accessible.

NOTE: this is not only related to the bbcode [img] all other systems and especialy the WYSIWYG are vulnerable for these kinds of attacks.
That's also one of the reasons why the wysiwyg system in Dragonfly is still unsupported and in beta stage.
We know you want wysiwyg in anything, including the News and Content modules, but i hope you now atleast know why only the administration newsletter system supports it.

Reason: the reason why we still support multimedia links is simple. If we removed/disallowed remote data the use and attraction to your website will be lowered to a minimum. For example you have a website about a FPS game or RPG. You need images to show your WOOT level or to show hidden areas or tricks in a game.
If that was gone i know 80% of our users complaints in these forums why we don't support media.

[spacebar]

True. I've spent some time thinking about this as well.

I supose if it got really bad, a confirmation button to click "yes" to logout could be put in.

Also since in my forums you have to be a reg. member to post, I'd quickly ban the IP of anyone who was stupid enough to do this... and the IP is logged for those who submit news... etc.