lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon Aug 22 16:01:02 2005
From: milw0rm at gmail.com (milw0rm Inc.)
Subject: BBCode [IMG] [/IMG ] Tag Vulnerability

alrighty,

How can this be done with header location being called in the middle
of the page?

<img src="http://www.site.biz/test/test.jpg" border="0" /> 

Tested on phpbb 2.0.17 default install with a no go.

/str0ke

On 8/21/05, h4cky0u <h4cky0u.org@...il.com> wrote:
> Hi,
> 
> Saw this one on www.waraxe.us (Discovered by Easyex) and i was
> thinking if there are some more possibilities using the method
> described. The POC below is for phpBB. -
> 
> ==========
> make yourself a folder on your host
> rename the folder to signature.jpg
> this will trick bbcode that its an image file.
> 
> example http://sitewithmaliciouscode/signature.jpg
> 
> inside that folder .. put this code ..
> and rename it to index.php file.
> 
> Quote:
> <?php
> header("Location: http://hosttobeexploited/phpBB/login.php?logout=true");
> exit;
> ?>
> 
> this will make every visitor getting logout when they view the thread that
> have image linked to this.
> ===================
> 
> 
> This seems to be working on almost all the scripts using BBcode.
> Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the
> image link to the folder with the malicious code as the forum
> signature. What i was wondering is there anything more serious than
> logging out the users that can be done with this? The admin folders of
> ipb and phpbb need reauthentication. So nothing serious for them but
> anything more innovative that could be done? And any way to fix this?
> 
> Regards,
> --
> http://www.h4cky0u.org
> (In)Security at its best...
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ