Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
RE: [Full-disclosure] phpBB 2.0.19 Cross Site Request Forgeries and XSSAdmin
From: Maksymilian Arciemowicz (maxjestsuper.pl)
Date: Fri Feb 03 2006 - 08:22:40 CST
> From: Berliner <berliner.does.not.mean.jelly.donut_at_googlemail.com>
> 1. Basically all phpBB admin-side options do allow full HTML, including
> phpBB does however check the Session ID before allowing the changes to go to
> the database.
> Your exploit needs a valid admin session key and you need to get the admin
> to visit the page (unless you happen to have a lot of luck with your IP)- be
> it by a link or a reflecting page. And even then, it will only work, when
> the admin has logged into the ACP prior to running into the trap.
preg_match('#sid\=?([0-9a-z]*)#i', getenv('HTTP_REFERER'), $sid);
if you have example <IMG SRC="http://SOME.SCRIPT.PHP"> and you send reffere...
(testes in IE, Mozilla etc) that please check.. getenv('HTTP_REFERER')
The phpBB team was informed about this issues and they confirmed that these
vulnerabilitie exists in phpBB 2.0.19. Solusion is use POST for all
> 2. That is a general problem with all pages allowing of-site pictures. It
> has been discussed on the list before. Most of your examples won't work with
> phpBB, due to the missing Session ID in the links.
pub 1024D/7FDF4CEE 2005-09-21
uid Maksymilian Arciemowicz (cXIb8O3) <maxjestsuper.pl>
sub 2048g/AE816DB6 2005-09-21
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/