A few months ago I was asked a question, if it was possible to forge private messages on a webforum. I said yes of course, and explained – to the mortals – how it theoretically could be done with AJAX (or similar). But it’s not guaranteed that it does since AJAX are dependent of the browser security and the code running on the site. In my mind it should not be any problems however, as long as the browser doesn’t leave the domain, or the communication is handled by two trusted sites.

To see if my theory really worked, I decided to test it. I chose an older version of phpBB since this was (and probably still is for a lot of websites out there) actually a bug, and fixed in new releases – and phpBB is a forum that is both easy install and use. It’s also free, and used by many. Continue below…

Since I wanted to cloak my attack, to avoid detection, I chose AJAX, because sessions run in background instead of using popup windows (which may not work anyway, because of the GET-variables). Attacks made this way, is however limited to the browser security but if the script successfully executes from the outside, it’s harder to detect. But then, it’s still possible to find it via (many) logged referers. AJAX maybe isn’t a good choice, and there’s quite a lot of code to execute which also makes it easier to detect, at least if it’s injected on the same server. Besides, scriptcode used to be prevented so the risks are smaller that something can happen. But somewhere, it may happen.

The first step was to find which fields the form contained. By using all of them as they look, I didn’t have to worry about any failure due to sanity-checks. I also needed to stay within the domain, or this experiment may have caused ”access denied”-messages by the browser – unless the domains trusted each other, which they did to make this experiment easier to perform.

The script worked perfect, but during the tests, I realized that the sanitychecking was easy to bypass. Because of AJAX, I was able to fetch the sid from the main post-form, before the real message was sent and by adding a ”pre-post”, so the main form fields was received first, the script could handle the sid itself.

        // Find the starting position of the sid
        var findsid = fetchoutput.indexOf('name="sid" value="');
        // Cut the string to the output
        var sidstart = fetchoutput.substr(findsid+18);
        // Find the ending position of the sid
        var findsid = sidstart.indexOf('"');
        // Recreate the string
        var postsid = sidstart.substr(0,findsid);

After this, I was able to send unlimited PMs to my ”victim” again, from the outside…

Luckily, making this happen in reality is much harder than it seems, but on sites that allows too much user input this might be devastating. Just imagine what happens with a bit of injective code, an admin and a javascript that calls the user deletion script…

[Minor notes:
One of the reasons why you never should allow html to be executed on a website is because of the risk allowing users to host their arbitrary code. It’s not enough to prevent cross site scripting completely, but it helps a bit. There’s also a risk with unsanitized code, because cross site scripting can still be executed from the outside, and bypass security in scripts that do not check the incoming variables. But in the same time, AJAX may still be able to bypass this.

There’s also more things to think of, regarding the main project – the script that was executed is based on spam-attacks, since it will run each time someone enters a page with the code. It will only work if the user has an account. This means that the affected users have to be logged in, and all private messages will be sent from the specific logged in account.

This ain’t however not any bigger news either, to some…]

(The issue has been reported to the phpBB-team)

av Tornevall

Fotograf, musiker, filmare. Estetikens alla nyanser i ett, kombinerat med humor och ett förflutet inom vård- nöjes- och programmeringsbranscher.