miniBB ® miniBB®
miniBB Support Forums
 | Forums | Register | Reply | Search | Statistics | Manual |
Bugs miniBB Support Forums / Bugs /   

IMG Tag CSRF

Author Guest
#1 | Posted: 20 Aug 2008 08:33 
I just recently had a member post a img tag with the code

http://mysite.com/index.php?mode=logout

And when you view the post it will log you off. This is a csrf vuln if I am correct?
Any way to stop this?

Author Guest
#2 | Posted: 20 Aug 2008 18:57 
This is what he did and I just tested it out and it works. He created a IMG TAG link like the one above with the code:

http://www.minibb.com/forums/index.php?mode=logout

It will log you off when you leave the topic or try to delete it. I have also seen one that is an html form instead of a link and it changed my profile signature. I believe its the same method using the IMG TAG links. The script automatically opens the link when the topic opens and does whatever action is in the img link. I tried to add the code above to bb_cookie.php but then it won't let me log in without saying:

Can not proceed: possible CSRF/XSRF attack!

Any ideas?

Author Paul
Lead Developer
#3 | Posted: 21 Aug 2008 04:15 | Edited by: Paul 
I understand now what the problem is, but still have no solution in mind. Please restore to the previous version of bb_cookie.php, revert changes you've made which I provided in my previous post. It won't work.

I could tell you the secret that such thing may be available in almost every software we have on the market, including the famous WordPress :-) I've just tested it in WordPress and it works the same way, i.e. it's possible to provide an image URL containing wp-login.php?action=logout and it will log-out everybody.

Guest:
I have also seen one that is an html form instead of a link and it changed my profile signature.

It would be good to see such example too...

I think CSRF may be provided only through the code which points to something external. Image tag is the most often case. For being completely safe, you can disable [img]/[imgs] tags removing them from bb_codes.php. So far it's the only one solution I see. I will think about it during today and post here if I find something else.

Basically it means we should put JavaScript function, similar to what we have now for deletion topics/messages (it's called getCSRFCookie() ). This function should apply the value of 'csrfchk' variable to any form or action which could be CSRF'ed. But this would be a madness to rewrite all scripts because of it, so we must come to another, more simpler solution.

Author tom322
Registered
#4 | Posted: 21 Aug 2008 10:55 
Paul:
But this would be a madness to rewrite all scripts because of it, so we must come to another, more simpler solution.

I'm sure that will be the case, it would be best if you could post exact steps how to implement fix (as you always do ;). Then I'll try to test too. Thanks.

Author Guest
#5 | Posted: 25 Aug 2008 19:24 
Has anyone found a fix yet?

Author Paul
Lead Developer
#6 | Posted: 26 Aug 2008 02:14 
As I suggested earlier, the only fix is to remove [img]/[imgs] tag codes from bb_codes.php.

I still have no ideas how to implement it easier and effective at once.

Bugs miniBB Support Forums / Bugs / IMG Tag CSRF Top

Your Reply Click this icon to move up to the quoted message

 Short link for this topic:

 ?
Only registered users are allowed to post here. Please, enter your username/password details upon posting a message, or register first.


Before posting, make sure your message is compliant with our forum posting rules. If not, it may be locked or deleted with no explanation.
 
miniBB Support Forums Powered by Forum Software miniBB ® Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contacts
Get the Captcha add-on: protect your miniBB-forums from the automated spam and flood.
Captcha Addon for miniBB