 |
|
 |
 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 53
 Members: 0
 Total: 53
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
| lunix |
|
| Replies: 63 |
| Views: 98592 |
|
|
 |
|
 |
|
I tried this a while ago. I also tried using the GD library to create an image with php.
But because the header sent by the script is a redirect header it wont work because the image will need to sen ... |
|
|
|
| lunix |
|
| Replies: 63 |
| Views: 98592 |
|
|
|
|
|
|
you cant do it because it looks for an image, and dosnt find an image.
Its a function of the browser.
If the browser looks for an image and finds no image data or headers it displpays the red X.
... |
|
|
|
| lunix |
|
| Replies: 63 |
| Views: 98592 |
|
|
|
|
|
|
nice discussion over here.
first of all,no need to fight or flaming just because of small thing.
releasing poc for it,for those dont believe it. try it out
make yourself a folder .. like darkc ... |
|
|
|
| lunix |
|
| Replies: 63 |
| Views: 98592 |
|
|
|
|
|
|
functions.php?f=1337&function=lock_thread this in phpbb not work
you are sure?
i have proben /modcp.php?t=2&mode=lock and it does not work either
thx
It was just an example of a poss ... |
|
|
|
| lunix |
|
| Replies: 63 |
| Views: 98592 |
|
|
|
|
|
|
It would work where admin functions are done by constructing a url.
If a forum used a url like
http://www.site.com/functions.php?f=1337&function=lock_thread
to lock the thread with the number ... |
|
|
|
| lunix |
|
| Replies: 63 |
| Views: 98592 |
|
|
|
|
|
|
It would work in anything that allows people to post images.
The flaw isnt in bbcode, its in browsers.
I dont think they will even bother to patch this.
Parsering EVERY image everytime the page ... |
|
|
|
| lunix |
|
| Replies: 209 |
| Views: 284534 |
|
|
|
|
|
|
Plaintext of 96ce48439595f7874ea46d4e5dead34a is cammello
Plaintext of ebad407bc98ebfc25bca10b645baa4a5 is hannah96 |
|
|
|
| lunix |
|
| Replies: 63 |
| Views: 98592 |
|
|
|
|
|
|
The only way to get root on phpbb now is to get the admin hash and crack it. All the fun stopped when phpbb realised EVERY admin cookie was the same.  |
|
|
|
| lunix |
|
| Replies: 63 |
| Views: 98592 |
|
|
|
|
|
|
What about using the same vulnerability to make a user an administrator? Or atleast something more interesting then "Logout".
I don't think you understand what the script is doing. |
|
|
|
| lunix |
|
| Replies: 63 |
| Views: 98592 |
|
|
|
|
|
|
so far this has worked on every forum and every browser i have tested it on.
There is also a couple of other interesting possabilities we are testing out. |
|
|
|
| lunix |
|
| Replies: 63 |
| Views: 98592 |
|
|
|
|
|
|
yeah that is interesting, Looks like it worked on ie and ff for me.
Theoreticaly that would work on any forum and there is no possability of creating a patch. 
im gonna investigate this a li ... |
|
|
|
| lunix |
|
| Replies: 63 |
| Views: 98592 |
|
|
|
|
|
|
|
|
|
| lunix |
|
| Replies: 63 |
| Views: 98592 |
|
|
|
|
|
|
phpbb aready blocks direct php images though.
So anything like login.php?action=logout would not get parsed and would just dispay the link within the img tags.
like when people link to scripts tha ... |
|
|
|
| lunix |
|
| Replies: 63 |
| Views: 98592 |
|
|
|
|
|
|
post a proof of concept code then if your so confident this will have an effect.
we tried every possability 18 months ago, nothing would work.
Because you are using img tags it only has the abilit ... |
|
|
|
| lunix |
|
| Replies: 63 |
| Views: 98592 |
|
|
|
|
|
|
The PHP will NOT be run on the server you are trying to exploit.
It will be run on YOUR server. so there is no XSS possability.
Then the image headers are sent to the browsers and an image is downlo ... |
|
|
| Page 1 of 2 |
Goto page 1, 2Next
All times are GMT |
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
|
