[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <404391E0.4030301@ghcif.de>
From: t4c at ghcif.de (t4c [Founder of GHCIF])
Subject: New phpBB ViewTopic.php Cross Site Scripting
Vulnerability (with fix)
Due PHPBB.COM erased this posting without any comment here just the fix
again:
http://www.ghcif.de/adv/phpbb206_viewtopic.txt
t4c [Founder of GHCIF] wrote:
> On 02/28/04 Cheng Peng Su released the following Advisory:
>
> ################################################
> Advisory Name:New phpBB ViewTopic.php Cross Site Scripting Vulnerability
> Release Date: Feb 29,2004
> Application: phpBB
> Platform: PHP
> Version Affected: the lastest version
> Vendor URL: http://www.phpbb.com/
> Discover: Cheng Peng Su(apple_soup_at_msn.com)
> ################################################
>
> Details:
> ~ This vuln is similar to Arab VieruZ's advisory 'XSS bug in
> phpBB',this time the problem is not in 'highlight' ,but in
> 'postorder'.we can inject HTML code,such code could be used to steal
> cookie information.
>
> Proof of Concept:
> ~ If there is a topic at
> ~ http://site/phpBB/viewtopic.php?t=123456
> ~ this page can be also viewed at
> ~ http://site/phpBB/viewtopic.php?t=123456&postorder=asc
> ~ then this page will contain code like below:
> ~ <a class="maintitle"
> href="viewtopic.php?t=176994&start=0&postdays=0&postorder=asc&highlight=">[Topic
>
> Title]</a>.
> ~ phpBB doesn't filter out illegal characters from 'postorder',so we can
> inject HTML code after 'postorder='.
>
> Exploit:
> ~ URL:
> http://site/phpBB/viewtopic.php?t=123456&postorder=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C
>
>
> ~ note
> unescape('=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C')
>
> == '"><script>alert(document.cookie)</script><'
>
> Contact:
> Cheng Peng Su
> apple_soup_at_msn.com
> Class 1,Senior 2,High school attached to Wuhan University
> Wuhan,Hubei,China
>
>
>
> Still PHPBB.COM didn't release any informations and patches I wrote a
> small fix for this issue.
>
> Read more under
> http://www.phpbb.com/phpBB/viewtopic.php?t=177585
>
> --
> Milan 't4c' Berger
> Network & Security Administrator
> 21073 Hamburg
>
> gpg: http://www.ghcif.de/keys/t4c.asc
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
--
Milan 't4c' Berger
Network & Security Administrator
21073 Hamburg
gpg: http://www.ghcif.de/keys/t4c.asc
Powered by blists - more mailing lists