|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: New phpBB ViewTopic.php Cross Site Scripting Vulnerability
From: t4c [Founder of GHCIF] (t4c
ghcif.de)
Date: Mon Mar 01 2004 - 17:35:30 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
An inofficial fix to this Issue has been released by ghcif.de
PHPBB 2.0.6c XSS Flaw in viewtopic.php
Open and Backup viewtopic.php
Find:
if ( !empty($HTTP_POST_VARS['postorder']) ||
!empty($HTTP_GET_VARS['postorder']${
$post_order = (!empty($HTTP_POST_VARS['postorder'])) ?
$HTTP_POST_VARS[$
$post_time_order = ($post_order == "asc") ? "ASC" : "DESC";
}
else
{
$post_order = 'asc';
$post_time_order = 'ASC';
}
Replace with:
//
// Decide how to order the post display
//
if ( !empty($HTTP_POST_VARS['postorder']) ||
!empty($HTTP_GET_VARS['postorder']${
$post_order = (!empty($HTTP_POST_VARS['postorder'])) ?
$HTTP_POST_VARS[$
// Exploit Fix
$post_order = htmlspecialchars($post_order);
$post_time_order = ($post_order == "asc") ? "ASC" : "DESC";
}
else
{
$post_order = 'asc';
// Exploit Fix
$post_order = htmlspecialchars($post_order);
$post_time_order = 'ASC';
}
by Milan 't4c' Berger
Cheng Peng Su wrote:
>
> ################################################
> Advisory Name:New phpBB ViewTopic.php Cross Site Scripting Vulnerability
> Release Date: Feb 29,2004
> Application: phpBB
> Platform: PHP
> Version Affected: the lastest version
> Vendor URL: http://www.phpbb.com/
> Discover: Cheng Peng Su(apple_soup_at_msn.com)
> ################################################
>
> Details:
> This vuln is similar to Arab VieruZ's advisory 'XSS bug in phpBB',this time the problem is not in 'highlight' ,but in 'postorder'.we can inject HTML code,such code could be used to steal cookie information.
>
> Proof of Concept:
> If there is a topic at
> http://site/phpBB/viewtopic.php?t=123456
> this page can be also viewed at
> http://site/phpBB/viewtopic.php?t=123456&postorder=asc
> then this page will contain code like below:
> <a class="maintitle" href="viewtopic.php?t=176994&start=0&postdays=0&postorder=asc&highlight=">[Topic Title]</a>.
> phpBB doesn't filter out illegal characters from 'postorder',so we can inject HTML code after 'postorder='.
>
> Exploit:
> URL: http://site/phpBB/viewtopic.php?t=123456&postorder=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C
>
> note unescape('=%22%3E%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%64%6F%63%75%6D%65%6E%74%2E%63%6F%6F%6B%69%65%29%3C%2F%73%63%72%69%70%74%3E%3C') == '"><script>alert(document.cookie)</script><'
>
> Contact:
> Cheng Peng Su
> apple_soup_at_msn.com
> Class 1,Senior 2,High school attached to Wuhan University
> Wuhan,Hubei,China
>
>
--
Milan 't4c' Berger
Network & Security Administrator
21073 Hamburg
gpg: http://www.ghcif.de/keys/t4c.asc
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]