TUCoPS :: Web BBS :: Frequently Exploited

TUCoPS :: Web BBS :: Frequently Exploited :: b06-3611.htm
XSS phpBB 2.0.21 in administration

XSS phpBB 2.0.21 in administration XSS phpBB 2.0.21 in administration


phpBB 2.0.21 XSS in administration=0D
**********************************=0D
=0D
//-- By Blwood [renatrix@gmail.com]=0D 
//-- [ http://www.blwood.net ]=0D 
//-- =0D
=0D
Style Admin=0D
-----------=0D
=0D
Management & Create a theme=0D
=0D
Lots of input are not properly "filtrate" like style_name, head_stylesheet, body_background, tr_color1_name (all the input in simple name)...=0D
=0D
We cand ofcourse inject html in this way : ">Owned by Blwood :P =0D
but it's more interresting to inject javascript :) : =0D
"> => style_name=0D
"> => head_stylesheet, body_background, ...=0D
When an admin will go in Style Administration he will be Owned. (inject in style_name)=0D
When an admin will edit a them he will be Owned.=0D
=0D
=0D
Group Administration=0D
--------------------=0D
=0D
Management=0D
=0D
Input group_description is not correctly "filtrated" we can inject js like this : "> or ">=0D
When an admin will go in Group administration he'll be owned. But what's more, the groups can be seen in groupcp.php =0D
by every visitors.=0D
An exploit could be : =0D
">=0D 
or=0D
">=0D 
=0D
Ranks=0D
-----=0D
=0D
Rank Administration=0D
=0D
Rank Title (input title) is not correctly filtrated, we can inject js like : ">=0D
But what's interresting, if you give this rank to an user, the rank will appear in user's topics and the code will be executed when someone sees a topic :)=0D
Now you can inject what you want but maximum 40 caracters...=0D
=0D
=0D
=0D
Smilies=0D
-------=0D
=0D
Smiles Editing Utility=0D
=0D
Smiley Code : ">=0D
=0D
Configuration=0D
-------------=0D
=0D
General Configuartion=0D
=0D
Inputs are not correctyle filtrated : Ex : allow_html_tags  => ">=0D
=0D
=0D
=0D
[ Video ]=0D
=0D
http://www.blwood.net/advisory/phpbb2021xssadmin.rar=0D 
=0D
=0D
=0D
=0D
=0D
=0D
=0D
=0D
=0D
=0D
=0D