Cross-site request forgery (CSRF) vulnerability in privmsg.php in phpBB 2.0.22 allows remote attackers to delete private messages (PM) as arbitrary users via a deleteall action.
Weakness
The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Phpbb | Phpbb | 2.0.22 (including) | 2.0.22 (including) |
| Phpbb2 | Ubuntu | dapper | * |
| Phpbb2 | Ubuntu | edgy | * |
| Phpbb2 | Ubuntu | feisty | * |
| Phpbb2 | Ubuntu | gutsy | * |
| Phpbb2 | Ubuntu | hardy | * |
| Phpbb2 | Ubuntu | intrepid | * |
| Phpbb2 | Ubuntu | upstream | * |
Potential Mitigations
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330]
- Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
- Use the “double-submitted cookie” method as described by Felten and Zeller:
- When a user visits a site, the site should generate a pseudorandom value and set it as a cookie on the user’s machine. The site should require every form submission to include this value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same.
- Because of the same-origin policy, an attacker cannot read or modify the value stored in the cookie. To successfully submit a form on behalf of the user, the attacker would have to correctly guess the pseudorandom value. If the pseudorandom value is cryptographically strong, this will be prohibitively difficult.
- This technique requires Javascript, so it may not work for browsers that have Javascript disabled. [REF-331]
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/111.html
- https://cwe.mitre.org/data/definitions/462.html
- https://cwe.mitre.org/data/definitions/467.html
- https://cwe.mitre.org/data/definitions/62.html
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463589
- http://secunia.com/advisories/28630
- http://secunia.com/advisories/28871
- http://securityreason.com/securityalert/3585
- http://www.debian.org/security/2008/dsa-1488
- http://www.securityfocus.com/archive/1/487004/100/0/threaded
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463589
- http://secunia.com/advisories/28630
- http://secunia.com/advisories/28871
- http://securityreason.com/securityalert/3585
- http://www.debian.org/security/2008/dsa-1488
- http://www.securityfocus.com/archive/1/487004/100/0/threaded