Vulners
Lucene search
phpBBXSS206d.txt
🗓️ 15 Mar 2004 00:00:00Reported by James BercegayType 
packetstorm🔗 packetstormsecurity.com👁 25 Views
`Vendor : phpBB Group
URL : http://www.phpbb.com
Version : phpBB 2.0.6d && Earlier
Risk : Cross Site Scripting
Description:
phpBB is a high powered, fully scalable, and highly customisable open-source
bulletin board package. phpBB has a user-friendly interface, simple and straight
forward administration panel, and helpful FAQ. Based on the powerful PHP server
language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database
servers, phpBB is the ideal free community solution for all web sites.
Problem:
phpBB is a great forum system used by many millions of people. It is one of
the more secure of the forum systems, but has a few issues still present; both
of which allow for XSS (Cross Site Scripting). This problem presents itself in
two different places.One of these places is viewtopic.php and the other is
viewforum.php Below are examples along with a brief explanation on how to
replicate this issue.
viewforum.php?f=[FNUM]&topicdays=[DNUM][XSS]
FNUM is a valid forum number. DNUM is the number of days to check. If you get no
results with the number 1 for example try the number 99 and so forth and so on.
XSS is whatever code is injected.
viewtopic.php?t=[TNUM]&postdays=[DNUM][XSS]
This is nearly the same issue as above, it just happens to be present in multiple
files. The only difference is TNUM is a valid topic id number. Remember, the query
must display results in order for the XSS to take place. Additionally the offset
(start) variable may be used to get results, but in most cases is unnecessary.
Examples are below though.
Examples:
viewforum.php?f=1&topicdays=99"><script>alert(document.cookie)</script>&start=30
viewtopic.php?t=10&postdays=99"><script>alert(document.cookie)</script>&start=20
Solution:
I have released a fix for this vulnerability. It requires a valid integer for the
affected variables, and thus eliminates this vulnerability from taking place. You
can find the fix by following the link below.
http://www.gulftech.org/vuln/phpBB2.0.6dfix.rar
Alternatively you can do it yourself by following the instructions listed below.
-----[ OPEN ]-----------------------------------
viewforum.php
-----[ FIND ]-----------------------------------
if ( !empty($HTTP_POST_VARS['topicdays']) || !empty($HTTP_GET_VARS['topicdays']) )
{
$topic_days = ( !empty($HTTP_POST_VARS['topicdays']) ) ? $HTTP_POST_VARS['topicdays'] : $HTTP_GET_VARS['topicdays'];
$min_topic_time = time() - ($topic_days * 86400);
-----[ REPLACE WITH ]---------------------------
if ( !empty($HTTP_POST_VARS['topicdays']) || !empty($HTTP_GET_VARS['topicdays']) )
{
///////////////////////////////////////////////////////////////////
// Lets Do Away With These Problems By Requiring A Valid Integer //
// Fix By JeiAr // http://www.gulftech.org // Friday 03 12, 2004 //
///////////////////////////////////////////////////////////////////
$topic_days = ( !empty($HTTP_POST_VARS['topicdays']) ) ? intval($HTTP_POST_VARS['topicdays']) : intval($HTTP_GET_VARS['topicdays']);
$min_topic_time = time() - ($topic_days * 86400);
-----[ OPEN ]-----------------------------------
viewtopic.php
-----[ FIND ]-----------------------------------
if( !empty($HTTP_POST_VARS['postdays']) || !empty($HTTP_GET_VARS['postdays']) )
{
$post_days = ( !empty($HTTP_POST_VARS['postdays']) ) ? $HTTP_POST_VARS['postdays'] : $HTTP_GET_VARS['postdays'];
$min_post_time = time() - (intval($post_days) * 86400);
-----[ REPLACE WITH ]---------------------------
if( !empty($HTTP_POST_VARS['postdays']) || !empty($HTTP_GET_VARS['postdays']) )
{
///////////////////////////////////////////////////////////////////
// Lets Do Away With These Problems By Requiring A Valid Integer //
// Fix By JeiAr // http://www.gulftech.org // Friday 03 12, 2004 //
///////////////////////////////////////////////////////////////////
$post_days = ( !empty($HTTP_POST_VARS['postdays']) ) ? intval($HTTP_POST_VARS['postdays']) : intval($HTTP_GET_VARS['postdays']);
$min_post_time = time() - (intval($post_days) * 86400);
phpBB development team will be releasing an official fix soon. Please check their
website, or the SourceForge projects page of phpBB for any updates. The SourceForge
projects page for phpBB can be located @ http://sourceforge.net/projects/phpbb The
fix supplied here should suffice though. If you feel this is incorrect please contact
me with details of any problems you experience. And a big thanks to Meik Sievertsen
and the rest of the phpBB team for addressing these issues in a very prompt and
professional manner. Original advisory located @ http://www.gulftech.org/03122004.php
Credits:
Credits go to JeiAr of the GulfTech Security Research Team.
http://www.gulftech.org
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Mar 2004 00:00Current
7.4High risk
Vulners AI Score7.4