Software Engineering Institute

phpBB is a widely used Open Source bulletin board package written in PHP.

An input validation issue has been identified that allows a malicious phpBB user to include active script code in a post.

The functions to process user input to generate HTML that makes up a user post on the bulletin board fails to prevent the inclusion of active script tags. Version 2.0.15 of phpBB adds code to two functions in "includes/bbcode.php" to blacklist certain active script tags, as an attempt to address this vulnerability. While this may mitigate this vulnerability, in general blacklisting is not an effective counter measure to malicious user input, due to the fact that characters can be encoded in many ways.

Malicious users can post to phpBB bulletin boards and include active script code. For many users the active script code will be executed by their browsers, due to active content being enabled by default in many popularly browsers.

Note that proof of concept code has been made public. There are also reports of the vulnerability being exploited in order to capture
site administrator authentication details, which are then used to perform further attacks unrelated to the phpBB flaw.

The flaw has been addressed in phpBB 2.0.15. For more information on the patch please see:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194

Code has been added to the includes/bbcode.php to blacklist certain active script tags, as an attempt to address this vulnerability. In general blacklisting is not an effective counter measure to malicious user input, due to the fact that characters can be encoded in many ways.

As a best practice, users of bulletin board sites and other sites where content is created from untrusted sources, such as the public, should consider turning off all forms of scripting support in their browsers.

More information about injecting code into forums is available in the CERT/CC advisory CA-2000-02.