phpBB “Allow HTML” Script Insertion Security Issue
We have a new exploit for phpBB. Just when you thought you were safe:
Description:
Maksymilian Arciemowicz has discovered a security issue in phpBB, which can be exploited by malicious people to conduct script insertion attacks.
Input passed in the message body when posting isn’t properly sanitised before being used. This can be exploited to inject arbitrary JavaScript code, which will be executed in a user’s browser session in context of an affected site when the malicious post is viewed.
Example:
H E L O
Successful exploitation requires that “Allow HTML” is enabled (not default setting).
It is also possible to disclose the full path to “admin/admin_disallow.php” by accessing it directly with the “setmodules” parameter set to “1” (requires that “register_globals” is enabled).
The security issue has been confirmed in version 2.0.18. Other versions may also be affected.
Solution:
Set “Allow HTML” to “No”.