I love phpBB, but love’s got bugs :)

phpbb is one of the most commonly used bullentin board CMSs around. With a large community and support they’ve build a very scalable and nice installation that can get a board running in 10 minutes ( you should have done the homework though ).

Though even the securest servers are cracked, and SVNs are poisoned with injections. i happed to find overflow that can send a phpbb board run in tizzy.

We take a lot for granted. A post coming from “xyz” id is meant to be posted by the maker of that id. Imagine if someone takes on another preexisting identity and starts posting. The Board will lose all integrity and faith that its users have. It will become a complete havoc, a mayhem.

Recently, I was surfing my board as a guest user and I happened to discover a nice cross-site bug. On trying it several times, i discovered it was working for my board. Just then I popped in another popular Delhi college’s forum URL and alas it worked there too.

I am writing a full disclosure report on that

Till i am in Delhi,

Anirudh

This entry was posted on June 8, 2008 at 10:49 am and is filed under experiments, security with tags grey hat, guests, phpBB, security. You can follow any responses to this entry through the RSS 2.0 feed You can leave a response, or trackback from your own site.

Grey hat India

I love phpBB, but love’s got bugs :)

Leave a Reply