lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <404391E0.4030301@ghcif.de>
From: t4c at ghcif.de (t4c [Founder of GHCIF])
Subject: New phpBB ViewTopic.php Cross Site Scripting
 Vulnerability (with fix)

Due PHPBB.COM erased this posting without any comment here just the fix 
again:

http://www.ghcif.de/adv/phpbb206_viewtopic.txt




t4c [Founder of GHCIF] wrote:
> On 02/28/04 Cheng Peng Su released the following Advisory:
> 
> ################################################
> Advisory Name:New phpBB ViewTopic.php Cross Site Scripting Vulnerability
> Release Date: Feb 29,2004
> Application: phpBB
> Platform: PHP
> Version Affected: the lastest version
> Vendor URL: http://www.phpbb.com/
> Discover: Cheng Peng Su(apple_soup_at_msn.com)
> ################################################
> 
> Details:
> ~    This vuln is similar to Arab VieruZ's advisory 'XSS bug in
> phpBB',this time the problem is not in 'highlight' ,but in
> 'postorder'.we can inject HTML code,such code could be used to steal
> cookie information.
> 
> Proof of Concept:
> ~     If there is a topic at
> ~  http://site/phpBB/viewtopic.php?t=123456
> ~  this page can be also viewed at
> ~  http://site/phpBB/viewtopic.php?t=123456&postorder=asc
> ~  then this page will contain code like below:
> ~  <a class="maintitle"
> href="viewtopic.php?t=176994&amp;start=0&amp;postdays=0&amp;postorder=asc&amp;highlight=">[Topic 
> 
> Title]</a>.
> ~  phpBB doesn't filter out illegal characters from 'postorder',so we can
> inject HTML code after 'postorder='.
> 
> Exploit:
> ~  URL:
> http://site/phpBB/viewtopic.php?t=123456&postorder=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C 
> 
> 
> ~  note
> unescape('=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C') 
> 
> == '">&lt;script&gt;alert(document.cookie)&lt;/script&gt;<'
> 
> Contact:
> Cheng Peng Su
> apple_soup_at_msn.com
> Class 1,Senior 2,High school attached to Wuhan University
> Wuhan,Hubei,China
> 
> 
> 
> Still PHPBB.COM didn't release any informations and patches I wrote a
> small fix for this issue.
> 
> Read more under
> http://www.phpbb.com/phpBB/viewtopic.php?t=177585
> 
> --
> Milan 't4c' Berger
> Network & Security Administrator
> 21073 Hamburg
> 
> gpg: http://www.ghcif.de/keys/t4c.asc
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



-- 
Milan 't4c' Berger
Network & Security Administrator
21073 Hamburg

gpg: http://www.ghcif.de/keys/t4c.asc


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ