 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 83
 Members: 0
 Total: 83
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
 Posted: Mon Aug 22, 2005 12:31 pm |
 |
|
| lunix |
| Regular user |
 |
|
| Joined: Aug 17, 2005 |
| Posts: 16 |
|
|
|
 |
|
 |
|
It would work where admin functions are done by constructing a url.
If a forum used a url like
http://www.site.com/functions.php?f=1337&function=lock_thread
to lock the thread with the number 1337 you would just have to have
location:http://www.site.com/functions.php?f=1337&function=lock_thread in your script to force the admin or moderator to lock the thread.
They would be redirected there, and would be authorised to perform the function, so the script would just do it. |
|
|
|
|
| Posted: Tue Aug 23, 2005 10:28 am |
|
|
| kizkur |
| Regular user |
 |
|
| Joined: Dec 04, 2004 |
| Posts: 11 |
|
|
|
|
|
|
|
functions.php?f=1337&function=lock_thread this in phpbb not work
you are sure?
i have proben /modcp.php?t=2&mode=lock and it does not work either
thx |
|
|
|
|
| Posted: Tue Aug 23, 2005 1:29 pm |
|
|
| Heintz |
| Valuable expert |
|
|
| Joined: Jun 12, 2004 |
| Posts: 88 |
| Location: Estonia/Sweden |
|
|
|
|
|
|
actually i may have offered not-so good way to patch this vulnearability.
i contacted one forum admin (of xmb), and he suggested as follows:
to make GET url unique.. like adding a must-be ID (which is validated via database) to urls. like: logout.php?action=logout&uniqid=afasdf.. and that id is different each time.. so the attacker doesnt know where to redirect victim exacly and prevents stuff from working. so if implemented right it would work. |
|
_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!" |
|
|
|
|
|
|
|
| Posted: Tue Aug 23, 2005 1:49 pm |
|
|
| lunix |
| Regular user |
|
|
| Joined: Aug 17, 2005 |
| Posts: 16 |
|
|
|
|
|
|
|
| kizkur wrote: | functions.php?f=1337&function=lock_thread this in phpbb not work
you are sure?
i have proben /modcp.php?t=2&mode=lock and it does not work either
thx |
It was just an example of a possability.
On phpbb the most you can do it log them out by the looks of it. |
|
|
|
|
| Posted: Sat Aug 27, 2005 7:06 pm |
|
|
| topmsg |
| Beginner |
|
|
| Joined: May 17, 2004 |
| Posts: 1 |
|
|
|
|
|
|
|
| Any solution to patch de phpBB 2.0.17 code? |
|
|
|
|
| Posted: Sat Aug 27, 2005 9:58 pm |
|
|
| shai-tan |
| Valuable expert |
|
|
| Joined: Feb 22, 2005 |
| Posts: 477 |
|
|
|
|
|
|
|
| I think this problem cant be fixed on the 3rd party script side..... |
|
_________________
Shai-tan
?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds |
|
|
|
| Posted: Mon Aug 29, 2005 10:03 am |
|
|
| Neverhood |
| Regular user |
 |
|
| Joined: Aug 29, 2005 |
| Posts: 13 |
|
|
|
|
|
|
|
| is there a way to hack PHPBB 2.0.17? because i have tried everything and didnt worked |
|
|
|
|
| Posted: Mon Aug 29, 2005 9:35 pm |
|
|
| justlooking |
| Beginner |
|
|
| Joined: Aug 30, 2005 |
| Posts: 2 |
|
|
|
|
|
|
|
Hi, I'm trying to use this vulnerability to get the forum to open my web page in the forum users browser.
I have tried saving my page as index.htm and putting it into the signature.jpg folder but this does not work.
Now I am thinking that I should have some php code saved as my index.htm and that this code should open the page in their browser. It would be similar to the code that is being used to log users out, only it would load my page instead.
I do not know any PHP so could someone please help me and post some code that would do this. I want to open my page in the existing window, not in a new window. Thanks |
|
|
|
|
|
|
|
|
| Posted: Tue Sep 13, 2005 7:48 pm |
|
|
| robin1200 |
| Regular user |
|
|
| Joined: Sep 13, 2005 |
| Posts: 19 |
|
|
|
|
|
|
|
| subzero wrote: | nice discussion over here.
first of all,no need to fight or flaming just because of small thing.
releasing poc for it,for those dont believe it. try it out
make yourself a folder .. like darkclaw said.
rename the folder to signature.jpg
this will trick bbcode that its an image file.
example http://sitewithcode/signature.jpg
inside that folder .. put this code ..
and rename it to index file.
this will make every visitor getting logout when they viewing the thread that
have image linked to this or maybe delete the posting using admin privileage once admin view it. Always better to PM admin to make sure its work . |
is there anyway we can generate this code via avatar but with a valid picuture (embeded with the xss code) so we can get rid of the X when the code is generaded...
or, how do I make it invisible?
robin |
|
|
|
|
|
|
|
|
| Posted: Tue Sep 13, 2005 9:08 pm |
|
|
| lunix |
| Regular user |
|
|
| Joined: Aug 17, 2005 |
| Posts: 16 |
|
|
|
|
|
|
|
| robin1200 wrote: | | subzero wrote: | nice discussion over here.
first of all,no need to fight or flaming just because of small thing.
releasing poc for it,for those dont believe it. try it out
make yourself a folder .. like darkclaw said.
rename the folder to signature.jpg
this will trick bbcode that its an image file.
example http://sitewithcode/signature.jpg
inside that folder .. put this code ..
and rename it to index file.
this will make every visitor getting logout when they viewing the thread that
have image linked to this or maybe delete the posting using admin privileage once admin view it. Always better to PM admin to make sure its work . |
is there anyway we can generate this code via avatar but with a valid picuture (embeded with the xss code) so we can get rid of the X when the code is generaded...
or, how do I make it invisible?
robin |
I dont think its possible because the headers sent would need to be for an image and not for a redierect.
as far as i know you wont be able to send both image AND redirect headers from the same script. |
|
_________________
 |
|
|
|
|
|
|
|
| Posted: Wed Sep 14, 2005 1:38 pm |
|
|
| robin1200 |
| Regular user |
|
|
| Joined: Sep 13, 2005 |
| Posts: 19 |
|
|
|
|
|
|
|
How about hiddig the code?... the same way they did it with the cookie stealer script?
come on guys... there's got to be a way so we don't expose the code to the admin...
 |
|
|
|
|
| Posted: Wed Sep 14, 2005 3:52 pm |
|
|
| Unicorn |
| Regular user |
 |
|
| Joined: Jul 17, 2005 |
| Posts: 14 |
|
|
|
|
|
|
|
It is possible:
| Code: |
[color = FFFFF][img]http://yoursite.com/ohfuckyoureloggedoff.jpg[/img][/color] |
|
|
|
|
|
| Posted: Wed Sep 14, 2005 10:16 pm |
|
|
| robin1200 |
| Regular user |
|
|
| Joined: Sep 13, 2005 |
| Posts: 19 |
|
|
|
|
|
|
|
nope!
this code still shows an ugly x
| Quote: | |
|
|
|
|
|
| Posted: Wed Sep 14, 2005 10:48 pm |
|
|
| lunix |
| Regular user |
|
|
| Joined: Aug 17, 2005 |
| Posts: 16 |
|
|
|
|
|
|
|
you cant do it because it looks for an image, and dosnt find an image.
Its a function of the browser.
If the browser looks for an image and finds no image data or headers it displpays the red X.
You cant include image headers in the script because you need to send redirect headers. |
|
_________________
|
|
|
|
| Posted: Thu Sep 15, 2005 6:04 am |
|
|
| Unicorn |
| Regular user |
|
|
| Joined: Jul 17, 2005 |
| Posts: 14 |
|
|
|
|
|
|
|
Ok here it goes :
 |
|
Last edited by Unicorn on Thu Sep 15, 2005 8:12 am; edited 3 times in total |
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 4 of 5
Goto page Previous1, 2, 3, 4, 5Next
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
