Информационная безопасность
[RU] switch to English

Дополнительная информация

  Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  PHP Live! v3.2 (header.php) Remote File Include Vulnerabilities

  [KurdishVanilla CMS <= 1.0.1 (RootDirectory)
Remote file inclusion Vuln.]

  [Kurdish Security # 14] MoSpray [base_dir] Remote Command Execution [ Mambo & Joomla]

  DotClear : Multiples Full Path Disclosure

From:renatrix_(at)_gmail.com <renatrix_(at)_gmail.com>
Date:24 июля 2006 г.
Subject:XSS phpBB 2.0.21 in administration

phpBB 2.0.21 XSS in administration

//-- By Blwood [[email protected]]
//-- [ http://www.blwood.net ]

Style Admin

Management & Create a theme

Lots of input are not properly "filtrate" like style_name, head_stylesheet, body_background, tr_color1_name (all the input in simple name)...

We cand ofcourse inject html in this way : "><h1>Owned by Blwood :P</h1>
but it's more interresting to inject javascript :) :
"><body onload="alert('Owned by Blwood')"> => style_name
"><script>alert('Owned by Blwood')</script> => head_stylesheet, body_background, ...
When an admin will go in Style Administration he will be Owned. (inject in style_name)
When an admin will edit a them he will be Owned.

Group Administration


Input group_description is not correctly "filtrated" we can inject js like this : "><script>alert('Owned by Blwood')</script> or </textare>"><script>alert('Owned by Blwood')</script>
When an admin will go in Group administration he'll be owned. But what's more, the groups can be seen in groupcp.php
by every visitors.
An exploit could be :


Rank Administration

Rank Title (input title) is not correctly filtrated, we can inject js like : "><script>alert('xss')</script>
But what's interresting, if you give this rank to an user, the rank will appear in user's topics and the code will be executed when someone sees a topic :)
Now you can inject what you want but maximum 40 caracters...


Smiles Editing Utility

Smiley Code : "><body onload="alert('Owned by Blwood')">


General Configuartion

Inputs are not correctyle filtrated : Ex : allow_html_tags  => "><script>alert('Owned by Blwood')</script>

[ Video ]


О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород