Comments (10)
aimeos
commented on July 19, 2024
1
@ser Example: https://www.phpbb-seo.ir/community/?a=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(/OPENBUGBOUNTY/)%3C/scRipt%3E
from usu.
zetrader
commented on July 19, 2024
How to fix that? Is it really dangerous for the forum?
EDIT : I tried your url in my forum, changing https://exmaple.org/ with the url of my forum using USU, it made a 503 error :
"Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later."
Does it mean the reflected XSS attack worked or it failed?
from usu.
aimeos
commented on July 19, 2024
It's not critical like a SQL injection but attackers can take over any user account with this attack.
You must change the URL to a page with a login box and if it succeeds, you will get a JS alert box in your browser.
from usu.
ser
commented on July 19, 2024
How to do it? can you show some real example?
from usu.
zetrader
commented on July 19, 2024
I've read about it, the user need to click on the special url with all those things added (script etc.) which means he would be some kind of ignorant to click on this strange url, but ok, i guess it could happen of course, not everyone would wonder why so much parameters added in that url.
I've seen also that there would be some kind of protection with firefox or chrome against this kind of attack :
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
"The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks."
Also they talk about adding some lines in htaccess or with some php code.
"Block pages from loading when they detect reflected XSS attacks:
PHP
header("X-XSS-Protection: 1; mode=block");
Apache (.htaccess)
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>"
So adding this PHP code or adding those lines to htaccess would provide a protection against a reflected xss attack?
from usu.
zetrader
commented on July 19, 2024
@aimeos If i click on your link, it works, i have the alert box, but if take your link, change the url to my phpBB test forum url with USU, it doesn't work, it makes a 503 error : "Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later."
And trying with any of my domains, with another CMS (PluXml, PunBB), the same thing, same error using the same structure of url in your link.
So maybe my hosting has some kind of protection that phpbb seo doesn't have, because i can not make work the reflected xss attack using this type of url in any of my domains or directory.
from usu.
ser
commented on July 19, 2024
it looks pretty serious indeed :(
noscript has blocked it an once but not everyone has noscript installed....
@zetrader i'm really curious how you have 503 as my very carefully crafted server is vulnerable and I have the mentioned header on
from usu.
zetrader
commented on July 19, 2024
@ser @aimeos
Could you give a test too? My forums boards are actually in testing mode before choosing one, so i would like to know.
First, phpBB with mysql and usu :
http://aribaut.com/wiwi31/?a=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(/OPENBUGBOUNTY/)%3C/scRipt%3E
forum is here http://aribaut.com/wiwi31/
Second, phpBB with sqlite and seourls ( https://github.com/tas2580/seourls ) :
http://zetrader.fr/fofo/?a=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(/OPENBUGBOUNTY/)%3C/scRipt%3E
forum is here http://zetrader.fr/fofo/
Third, PunBB with mysql :
http://zeforums.com/?a=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(/OPENBUGBOUNTY/)%3C/scRipt%3E
forum is here http://zeforums.com/
Fourth, Pluxml (no database cms) :
http://zetrader.info/?a=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(/OPENBUGBOUNTY/)%3C/scRipt%3E
Blog is here http://zetrader.info/
http://zetrader.fr/?a=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(/OPENBUGBOUNTY/)%3C/scRipt%3E
Blog is here http://zetrader.fr/
http://aribaut.com/?a=%27%22--%3E%3C/style%3E%3C/scRipt%3E%3CscRipt%3Ealert(/OPENBUGBOUNTY/)%3C/scRipt%3E
Blog is here http://aribaut.com/
All of this links give me a 503 error "Service Unavailable
The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.".
Is that the case for you?
After you tested, it could be interesting to test phpBB without the extension USU or SEO URLS.
from usu.
aimeos
commented on July 19, 2024
@meis2m Thanks a lot. When do you release a new version?
from usu.
ser
commented on July 19, 2024
@aimeos just clone the current master repo and you have new version :)
from usu.
Related Issues (20)
- Breadcrumb validation fails due to rewritten URL HOT 1
- Uncaught TypeError: Illegal offset type in line 156 of usu.php HOT 1
- demanding "chmod 0777" is a bug
- Last post URL for each forum in board not translated
- Wrong URLs on forum main board HOT 10
- Extension urls stay like original phpBB in the latest version when i update HOT 8
- url structure : put the topic id at the beginning of the url in case of truncated url?
- Error with php 8.0 in ACP HOT 3
- Way to allow custom URL parameters to not be rewritten? HOT 1
- Not showing in extension tab in 3.3.5 HOT 1
- Compatible with 3.3.5?
- error on- login redirection page phpbb3.3.5+nginx+php7.4 HOT 9
- Has some bug HOT 1
- PLEASE HELP. Pages are displaying that they cannot be found HOT 2
- Admin PHPBB SEO Tab gives a blank white screen
- USU is not with PHP 8 HOT 4
- usu not working with php8.1 HOT 1
- Dear support, help me! I upload module but still not wokring URL SEO links? HOT 2
- Ultimate SEO and phpBB Gallery - how to set up? HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from usu.