Title: phpBB AJAX Chat/Shoutbox MOD CSRF Vulnerability

Release Date: 2011-04-30

Product Affected: http://startrekaccess.com/community/viewtopic.php?f=127&t=8675

Responsible Disclosure:

After repeated attempts to get the vendor to fix this flaw, he has told me to "Please \

stop taking up my time with something this trivial." I have provided a risk \

assessment, sources on CSRF including OWASP and my implementation on how to fix it.

If after a reasonable attempt to make the vendor realise it is a vulnerability, the \

vendor refuses to acknowledge the flaw, the vulnerability will be publicly published.

First vendor contact was made on 2011-04-24 and continued till the 29th where he cut \

contact. Discription:

All actions taken on chat.php are not protected against CSRF, this includes add and \

delete chat messages. Solution:

This solution carries no warranty or guarantees, that said it works with the version \

I have.

In config.php

$secretKey = 'CHANGE THIS TO SOMETHING SECURE';

in shout.php

116: 'CHAT_MAC'      => hash_hmac('ripemd160', $user->data['user_id'], $secretKey)

in chat.php

49:

$chatMAC = request_var('mac', '');

56:

if($mode AND $chatMAC != hash_hmac('ripemd160', $user->data['user_id'], $secretKey)) \

//action taken {

die('Hacking attempt! (CSRF)');

}

257:  'CHAT_MAC'      => hash_hmac('ripemd160', $user->data['user_id'], $secretKey)

in templates:

after param = 'mode=' + mode;

Add param += '&mac=' + '{CHAT_MAC}';