BugTraq
New phpBB ViewTopic.php Cross Site Scripting Vulnerability Feb 28 2004 03:09PM
Cheng Peng Su (apple_soup msn com) (1 replies)
Re: New phpBB ViewTopic.php Cross Site Scripting Vulnerability Mar 01 2004 11:35PM
t4c [Founder of GHCIF] (t4c ghcif de)
An inofficial fix to this Issue has been released by ghcif.de
PHPBB 2.0.6c XSS Flaw in viewtopic.php

Open and Backup viewtopic.php

Find:

if ( !empty($HTTP_POST_VARS['postorder']) ||
!empty($HTTP_GET_VARS['postorder']${
$post_order = (!empty($HTTP_POST_VARS['postorder'])) ?
$HTTP_POST_VARS[$
$post_time_order = ($post_order == "asc") ? "ASC" : "DESC";
}
else
{
$post_order = 'asc';
$post_time_order = 'ASC';
}

Replace with:

//
// Decide how to order the post display
//
if ( !empty($HTTP_POST_VARS['postorder']) ||
!empty($HTTP_GET_VARS['postorder']${
$post_order = (!empty($HTTP_POST_VARS['postorder'])) ?
$HTTP_POST_VARS[$
// Exploit Fix
$post_order = htmlspecialchars($post_order);
$post_time_order = ($post_order == "asc") ? "ASC" : "DESC";
}
else
{
$post_order = 'asc';
// Exploit Fix
$post_order = htmlspecialchars($post_order);
$post_time_order = 'ASC';
}

by Milan 't4c' Berger

Cheng Peng Su wrote:
>
> ################################################
> Advisory Name:New phpBB ViewTopic.php Cross Site Scripting Vulnerability
> Release Date: Feb 29,2004
> Application: phpBB
> Platform: PHP
> Version Affected: the lastest version
> Vendor URL: http://www.phpbb.com/
> Discover: Cheng Peng Su(apple_soup_at_msn.com)
> ################################################
>
> Details:
> This vuln is similar to Arab VieruZ's advisory 'XSS bug in phpBB',this time the problem is not in 'highlight' ,but in 'postorder'.we can inject HTML code,such code could be used to steal cookie information.
>
> Proof of Concept:
> If there is a topic at
> http://site/phpBB/viewtopic.php?t=123456
> this page can be also viewed at
> http://site/phpBB/viewtopic.php?t=123456&postorder=asc
> then this page will contain code like below:
> <a class="maintitle" href="viewtopic.php?t=176994&start=0&postdays=0&postorder=as
c&highlight=">[Topic Title]</a>.
> phpBB doesn't filter out illegal characters from 'postorder',so we can inject HTML code after 'postorder='.
>
> Exploit:
> URL: http://site/phpBB/viewtopic.php?t=123456&postorder=%22%3E%3C%73%63%72%69
%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65
%29%3C%2F%73%63%72%69%70%74%3E%3C
>
> note unescape('=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%
6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C') == '"><script>alert(document.cookie)</script><'
>
> Contact:
> Cheng Peng Su
> apple_soup_at_msn.com
> Class 1,Senior 2,High school attached to Wuhan University
> Wuhan,Hubei,China
>
>

--
Milan 't4c' Berger
Network & Security Administrator
21073 Hamburg

gpg: http://www.ghcif.de/keys/t4c.asc

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus