Waraxe IT Security Portal
Login or Register
November 23, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 80
Members: 0
Total: 80
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB 2.0.17 and most likely below Goto page Previous1, 2, 3, 4, 5Next
Post new topicReply to topic View previous topic :: View next topic
PostPosted: Mon Aug 22, 2005 12:31 pm Reply with quote
lunix
Regular user
Regular user
Joined: Aug 17, 2005
Posts: 16




It would work where admin functions are done by constructing a url.
If a forum used a url like
http://www.site.com/functions.php?f=1337&function=lock_thread
to lock the thread with the number 1337 you would just have to have
location:http://www.site.com/functions.php?f=1337&function=lock_thread in your script to force the admin or moderator to lock the thread.

They would be redirected there, and would be authorised to perform the function, so the script would just do it.
View user's profile Send private message Visit poster's website
PostPosted: Tue Aug 23, 2005 10:28 am Reply with quote
kizkur
Regular user
Regular user
Joined: Dec 04, 2004
Posts: 11




functions.php?f=1337&function=lock_thread this in phpbb not work

you are sure?

i have proben /modcp.php?t=2&mode=lock and it does not work either

thx
View user's profile Send private message
PostPosted: Tue Aug 23, 2005 1:29 pm Reply with quote
Heintz
Valuable expert
Valuable expert
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




actually i may have offered not-so good way to patch this vulnearability.
i contacted one forum admin (of xmb), and he suggested as follows:
to make GET url unique.. like adding a must-be ID (which is validated via database) to urls. like: logout.php?action=logout&uniqid=afasdf.. and that id is different each time.. so the attacker doesnt know where to redirect victim exacly and prevents stuff from working. so if implemented right it would work.

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Tue Aug 23, 2005 1:49 pm Reply with quote
lunix
Regular user
Regular user
Joined: Aug 17, 2005
Posts: 16




kizkur wrote:
functions.php?f=1337&function=lock_thread this in phpbb not work

you are sure?

i have proben /modcp.php?t=2&mode=lock and it does not work either

thx

It was just an example of a possability.

On phpbb the most you can do it log them out by the looks of it.
View user's profile Send private message Visit poster's website
PostPosted: Sat Aug 27, 2005 7:06 pm Reply with quote
topmsg
Beginner
Beginner
Joined: May 17, 2004
Posts: 1




Any solution to patch de phpBB 2.0.17 code?
View user's profile Send private message
PostPosted: Sat Aug 27, 2005 9:58 pm Reply with quote
shai-tan
Valuable expert
Valuable expert
Joined: Feb 22, 2005
Posts: 477




I think this problem cant be fixed on the 3rd party script side.....

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Mon Aug 29, 2005 10:03 am Reply with quote
Neverhood
Regular user
Regular user
Joined: Aug 29, 2005
Posts: 13




is there a way to hack PHPBB 2.0.17? because i have tried everything and didnt worked
View user's profile Send private message
PostPosted: Mon Aug 29, 2005 9:35 pm Reply with quote
justlooking
Beginner
Beginner
Joined: Aug 30, 2005
Posts: 2




Hi, I'm trying to use this vulnerability to get the forum to open my web page in the forum users browser.

I have tried saving my page as index.htm and putting it into the signature.jpg folder but this does not work.

Now I am thinking that I should have some php code saved as my index.htm and that this code should open the page in their browser. It would be similar to the code that is being used to log users out, only it would load my page instead.

I do not know any PHP so could someone please help me and post some code that would do this. I want to open my page in the existing window, not in a new window. Thanks
View user's profile Send private message
PostPosted: Tue Sep 13, 2005 7:48 pm Reply with quote
robin1200
Regular user
Regular user
Joined: Sep 13, 2005
Posts: 19




subzero wrote:
nice discussion over here.
first of all,no need to fight or flaming just because of small thing.

releasing poc for it,for those dont believe it. try it out

make yourself a folder .. like darkclaw said.
rename the folder to signature.jpg
this will trick bbcode that its an image file.

example http://sitewithcode/signature.jpg

inside that folder .. put this code ..
and rename it to index file.

Quote:
<?php
header("Location: http://exploit.host/phpBB/login.php?logout=true");
exit;
?>


this will make every visitor getting logout when they viewing the thread that
have image linked to this or maybe delete the posting using admin privileage once admin view it. Always better to PM admin to make sure its work .Wink



is there anyway we can generate this code via avatar but with a valid picuture (embeded with the xss code) so we can get rid of the X when the code is generaded...

or, how do I make it invisible?

robin
View user's profile Send private message
PostPosted: Tue Sep 13, 2005 9:08 pm Reply with quote
lunix
Regular user
Regular user
Joined: Aug 17, 2005
Posts: 16




robin1200 wrote:
subzero wrote:
nice discussion over here.
first of all,no need to fight or flaming just because of small thing.

releasing poc for it,for those dont believe it. try it out

make yourself a folder .. like darkclaw said.
rename the folder to signature.jpg
this will trick bbcode that its an image file.

example http://sitewithcode/signature.jpg

inside that folder .. put this code ..
and rename it to index file.

Quote:
<?php
header("Location: http://exploit.host/phpBB/login.php?logout=true");
exit;
?>


this will make every visitor getting logout when they viewing the thread that
have image linked to this or maybe delete the posting using admin privileage once admin view it. Always better to PM admin to make sure its work .Wink



is there anyway we can generate this code via avatar but with a valid picuture (embeded with the xss code) so we can get rid of the X when the code is generaded...

or, how do I make it invisible?

robin

I dont think its possible because the headers sent would need to be for an image and not for a redierect.
as far as i know you wont be able to send both image AND redirect headers from the same script.

_________________
View user's profile Send private message Visit poster's website
PostPosted: Wed Sep 14, 2005 1:38 pm Reply with quote
robin1200
Regular user
Regular user
Joined: Sep 13, 2005
Posts: 19




How about hiddig the code?... the same way they did it with the cookie stealer script?

come on guys... there's got to be a way so we don't expose the code to the admin...

Embarassed
View user's profile Send private message
PostPosted: Wed Sep 14, 2005 3:52 pm Reply with quote
Unicorn
Regular user
Regular user
Joined: Jul 17, 2005
Posts: 14




It is possible:
Code:

[color = FFFFF][img]http://yoursite.com/ohfuckyoureloggedoff.jpg[/img][/color]
View user's profile Send private message Visit poster's website
PostPosted: Wed Sep 14, 2005 10:16 pm Reply with quote
robin1200
Regular user
Regular user
Joined: Sep 13, 2005
Posts: 19




nope!

this code still shows an ugly x



Quote:
View user's profile Send private message
PostPosted: Wed Sep 14, 2005 10:48 pm Reply with quote
lunix
Regular user
Regular user
Joined: Aug 17, 2005
Posts: 16




you cant do it because it looks for an image, and dosnt find an image.
Its a function of the browser.

If the browser looks for an image and finds no image data or headers it displpays the red X.

You cant include image headers in the script because you need to send redirect headers.

_________________
View user's profile Send private message Visit poster's website
PostPosted: Thu Sep 15, 2005 6:04 am Reply with quote
Unicorn
Regular user
Regular user
Joined: Jul 17, 2005
Posts: 14




Ok here it goes :


Last edited by Unicorn on Thu Sep 15, 2005 8:12 am; edited 3 times in total
View user's profile Send private message Visit poster's website
phpBB 2.0.17 and most likely below
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 4 of 5
Goto page Previous1, 2, 3, 4, 5Next
Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.049 Seconds