PhpBB3 BBCodes

Security vulnerabilities!

On 02 feb 2010 we found out that bbcodes using {TEXT} inside the html tags was a serious security vulnerability.
Therefore I mass mailed all our members with a link to a post with more explanation.
That post is what you see below.

In the meantime a new token was introduced in 3.0.7, {INTTEXT} which is safe to use inside html tags where this is necessary.
We have also secured all bbcodes on this board, no longer using {TEXT} inside html tags.
So you are not to worry about getting insecure code here. I am just reposting because it is important information and for the fact that this issue is not informed well other places.

Stoker wrote:Hello,

I am very sorry to inform you that we may have been providing insecure code!
The problem is when {TEXT} is used in the html tags.
Just like this:

Code: Select all

<div style="{TEXT1}">{TEXT2}</div>

Instead of using {TEXT} we should use {SIMPLETEXT} or {IDENTIFIER}
Then it would be safe.

Please check all your bbcodes.

Sorry for the inconvenience.

What could happen if the {TEXT} was not taken out?

It could cause a XSS vulnerability, try google it for more info.

So should be then it safe?

No, thats not the case. Only when TEXT is used inside the html tag.
You can see an example in the Submit a bbcode forum rules which you aff course allready have read since you have submitted a bbcode

Stoker » 16 May 2010, 14:06 wrote:It could cause a XSS vulnerability, try google it for more info.

Thanks, just googled it... all I have to say is... ouch.

Hello,
do you mean, for example in the Youtube BBcode : we have to replace TEXT by INTTEXT ?

And here in the think BBcode :

yes and no

Yes for the 1st and no for the 2nd ?
Please...tell me

that is correct! what you asked for the youtube bbcode that is correct, for the think bbcode it is correct the way it is! since the {TEXT} is actually outside the html tags, it is actually in between the <div> so that is fine!