miniBB ® 

miniBB

®
Support Forums		   
 | Start | Register | Search | Statistics | File Bank | Manual |
Bugs miniBB Support Forums / Bugs /  
 

IMG Tag CSRF

 
Author Guest
~		 #1 | Posted: 20 Aug 2008 08:33
I just recently had a member post a img tag with the code

http://mysite.com/index.php?mode=logout

And when you view the post it will log you off. This is a csrf vuln if I am correct?
Any way to stop this?

Author Guest
~		 #2 | Posted: 20 Aug 2008 18:57
This is what he did and I just tested it out and it works. He created a IMG TAG link like the one above with the code:

https://www.minibb.com/forums/index.php?mode=logout

It will log you off when you leave the topic or try to delete it. I have also seen one that is an html form instead of a link and it changed my profile signature. I believe its the same method using the IMG TAG links. The script automatically opens the link when the topic opens and does whatever action is in the img link. I tried to add the code above to bb_cookie.php but then it won't let me log in without saying:

Can not proceed: possible CSRF/XSRF attack!

Any ideas?

Author Paul
Lead Developer 		 #3 | Posted: 21 Aug 2008 04:15
I understand now what the problem is, but still have no solution in mind. Please restore to the previous version of bb_cookie.php, revert changes you've made which I provided in my previous post. It won't work.

I could tell you the secret that such thing may be available in almost every software we have on the market, including the famous WordPress :-) I've just tested it in WordPress and it works the same way, i.e. it's possible to provide an image URL containing wp-login.php?action=logout and it will log-out everybody.

Guest:
I have also seen one that is an html form instead of a link and it changed my profile signature.
It would be good to see such example too...

I think CSRF may be provided only through the code which points to something external. Image tag is the most often case. For being completely safe, you can disable [img]/[imgs] tags removing them from bb_codes.php. So far it's the only one solution I see. I will think about it during today and post here if I find something else.

Basically it means we should put JavaScript function, similar to what we have now for deletion topics/messages (it's called getCSRFCookie() ). This function should apply the value of 'csrfchk' variable to any form or action which could be CSRF'ed. But this would be a madness to rewrite all scripts because of it, so we must come to another, more simpler solution.

Author tom322
Active Member		 #4 | Posted: 21 Aug 2008 10:55
Paul:
But this would be a madness to rewrite all scripts because of it, so we must come to another, more simpler solution.
I'm sure that will be the case, it would be best if you could post exact steps how to implement fix (as you always do ;). Then I'll try to test too. Thanks.

Author Guest
~		 #5 | Posted: 25 Aug 2008 19:24
Has anyone found a fix yet?

Author Paul
Lead Developer 		 #6 | Posted: 26 Aug 2008 02:14
As I suggested earlier, the only fix is to remove [img]/[imgs] tag codes from bb_codes.php.

I still have no ideas how to implement it easier and effective at once.

Bugs miniBB Support Forums / Bugs /
 IMG Tag CSRF
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message
  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.

Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 
 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Get the Captcha add-on: protect your miniBB-forums from the automated spam and flood.