phpBB AJAX Chat/Shoutbox MOD CSRF Vulnerability

:

@Sebug.net   dis
վṩ()ܴй,ȫоѧ֮,Ը!1.Title: phpBB AJAX Chat/Shoutbox MOD CSRF Vulnerability2.Release Date: 2011-04-303.Product Affected: http://startrekaccess.com/community/viewtopic.php?f=127&t=86754.Responsible Disclosure:5. 6.After repeated attempts to get the vendor to fix this flaw, he has told me to "Please \7.stop taking up my time with something this trivial." I have provided a risk \8.assessment, sources on CSRF including OWASP and my implementation on how to fix it.9. 10.If after a reasonable attempt to make the vendor realise it is a vulnerability, the \11.vendor refuses to acknowledge the flaw, the vulnerability will be publicly published.12. 13.First vendor contact was made on 2011-04-24 and continued till the 29th where he cut \14.contact. Discription:15. 16.All actions taken on chat.php are not protected against CSRF, this includes add and \17.delete chat messages. Solution:18. 19.This solution carries no warranty or guarantees, that said it works with the version \20.I have.21. 22.In config.php23.$secretKey = 'CHANGE THIS TO SOMETHING SECURE';24. 25.in shout.php26.116: 'CHAT_MAC'      => hash_hmac('ripemd160', $user->data['user_id'], $secretKey)27. 28.in chat.php29.49:30.$chatMAC = request_var('mac', '');31. 32.56:33.if($mode AND $chatMAC != hash_hmac('ripemd160', $user->data['user_id'], $secretKey)) \34.//action taken {35.die('Hacking attempt! (CSRF)');36.}37. 38.257:  'CHAT_MAC'      => hash_hmac('ripemd160', $user->data['user_id'], $secretKey)39. 40.in templates:41.after param = 'mode=' + mode;42.Add param += '&mac=' + '{CHAT_MAC}';