From: predej deja To: cert@cert.org, osvdb , secunia , securityfocus Date: Fri, 31 Mar 2006 23:17:11 +0200 Subject: [OSVDB Mods] Found some XSS holes in phpBB 2.0.19.. PhpBB 2.0.19 XSS Found by Preddy of RootShell Security Group Description: Some parts of code in phpbb do not check user input correctly which allows authorized and unauthorized users to inject XSS code. PoC: 1) http://[site]/admin/admin_board.php? post "> under 'Site Description' and save it.. xss code gets in 'index.php' 2) http://[site]/profile.php When you edit your own profile: Post: ">XSS under the 'Current password' then enter a passwords that dont match 'New password' and 'Confirm password' eg: New password: blabla1 Confirm password: bleble2 then submit and you will see XSS code. 3) http://[site]/admin_groups.php? When you make a new group in the admincp the group gets viewed in groupcp.php Go to: http://[site]/admin/admin_groups.php? Click the 'Create new group' button Then under 'Group name' and 'Group description' type: "> and add a group moderator if you want to, then click submit.. You immediatly get an Alert showing your cookie information and you can also see the same alert in groupcp.php + by Clicking the 'View Information' button in groupcp.php 4) http://[site]/admin/admin_styles.php?mode=create Input in 'Theme Name': ">

XSS/HTML INJECTION

then input a 'CSS Stylesheet' if you want to.. after that click 'Save Settings' and you will see your text in h1 format. 5) http://[site]/admin/admin_ranks.php? Click 'Add new rank' then input: ">XSS into 'Rank Title' and click 'Submit' And you will see some XSS code. NOTE: *GUYZ IM SOOOO TIRED :P THERE ARE MORE BUT ILL WRITE THOSE SOME OTHER TIME.* TESTED UNDER: PHP 4.3.10(win32) , Register Globals: Off Magic Quotes: Off Preddy RootShell Security group www.rootshell-security.net