Type packetstorm
Reporter h4cky0u
Modified 2005-08-24T00:00:00


Saw this one on (Discovered by Easyex) and i was  
thinking if there are some more possibilities using the method  
described. The POC below is for phpBB. -  
make yourself a folder on your host   
rename the folder to signature.jpg   
this will trick bbcode that its an image file.   
example http://sitewithmaliciouscode/signature.jpg   
inside that folder .. put this code ..   
and rename it to index.php file.   
header("Location: http://hosttobeexploited/phpBB/login.php?logout=true");   
this will make every visitor getting logout when they view the thread that   
have image linked to this.  
This seems to be working on almost all the scripts using BBcode.  
Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the  
image link to the folder with the malicious code as the forum  
signature. What i was wondering is there anything more serious than  
logging out the users that can be done with this? The admin folders of  
ipb and phpbb need reauthentication. So nothing serious for them but  
anything more innovative that could be done? And any way to fix this?  
(In)Security at its best...