lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <40438BB0.6050904@ghcif.de> From: t4c at ghcif.de (t4c [Founder of GHCIF]) Subject: New phpBB ViewTopic.php Cross Site Scripting Vulnerability (with fix) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/28/04 Cheng Peng Su released the following Advisory: ################################################ Advisory Name:New phpBB ViewTopic.php Cross Site Scripting Vulnerability Release Date: Feb 29,2004 Application: phpBB Platform: PHP Version Affected: the lastest version Vendor URL: http://www.phpbb.com/ Discover: Cheng Peng Su(apple_soup_at_msn.com) ################################################ Details: ~ This vuln is similar to Arab VieruZ's advisory 'XSS bug in phpBB',this time the problem is not in 'highlight' ,but in 'postorder'.we can inject HTML code,such code could be used to steal cookie information. Proof of Concept: ~ If there is a topic at ~ http://site/phpBB/viewtopic.php?t=123456 ~ this page can be also viewed at ~ http://site/phpBB/viewtopic.php?t=123456&postorder=asc ~ then this page will contain code like below: ~ <a class="maintitle" href="viewtopic.php?t=176994&start=0&postdays=0&postorder=asc&highlight=">[Topic Title]</a>. ~ phpBB doesn't filter out illegal characters from 'postorder',so we can inject HTML code after 'postorder='. Exploit: ~ URL: http://site/phpBB/viewtopic.php?t=123456&postorder=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C ~ note unescape('=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C') == '"><script>alert(document.cookie)</script><' Contact: Cheng Peng Su apple_soup_at_msn.com Class 1,Senior 2,High school attached to Wuhan University Wuhan,Hubei,China Still PHPBB.COM didn't release any informations and patches I wrote a small fix for this issue. Read more under http://www.phpbb.com/phpBB/viewtopic.php?t=177585 - -- Milan 't4c' Berger Network & Security Administrator 21073 Hamburg gpg: http://www.ghcif.de/keys/t4c.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFAQ4ucElfq8Np78sURAuj2AJ9wNxkA6kuuKZN2EC326GObOMuUWgCdG5FQ C/EwGMA0SsrTp8GcJ4COtHE= =4c7V -----END PGP SIGNATURE-----
Powered by blists - more mailing lists