Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
November 18, 2019
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 367
Members: 0
Total: 367
PacketStorm News
Currently there is a problem with headlines from this site
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> PhpBB -> phpBB 2.0.17 and most likely below Goto page Previous  1, 2, 3, 4, 5  Next
Post new topic  Reply to topic View previous topic :: View next topic 
PostPosted: Mon Aug 22, 2005 12:31 pm Reply with quote
lunix
Regular user
Regular user
 
Joined: Aug 17, 2005
Posts: 16




It would work where admin functions are done by constructing a url.
If a forum used a url like
http://www.site.com/functions.php?f=1337&function=lock_thread
to lock the thread with the number 1337 you would just have to have
location:http://www.site.com/functions.php?f=1337&function=lock_thread in your script to force the admin or moderator to lock the thread.

They would be redirected there, and would be authorised to perform the function, so the script would just do it.
View user's profile Send private message Visit poster's website
PostPosted: Tue Aug 23, 2005 10:28 am Reply with quote
kizkur
Regular user
Regular user
 
Joined: Dec 04, 2004
Posts: 11




functions.php?f=1337&function=lock_thread this in phpbb not work

you are sure?

i have proben /modcp.php?t=2&mode=lock and it does not work either

thx
View user's profile Send private message
PostPosted: Tue Aug 23, 2005 1:29 pm Reply with quote
Heintz
Valuable expert
Valuable expert
 
Joined: Jun 12, 2004
Posts: 88
Location: Estonia/Sweden




actually i may have offered not-so good way to patch this vulnearability.
i contacted one forum admin (of xmb), and he suggested as follows:
to make GET url unique.. like adding a must-be ID (which is validated via database) to urls. like: logout.php?action=logout&uniqid=afasdf.. and that id is different each time.. so the attacker doesnt know where to redirect victim exacly and prevents stuff from working. so if implemented right it would work.

_________________
AT 14:00 /EVERY:1 DHTTP /oindex.php www.waraxe.us:80 | FIND "SA#037" 1>Nul 2>&1 & IF ERRORLEVEL 0 "c:program filesApache.exe stop & DSAY alarmaaa!"
View user's profile Send private message Send e-mail Visit poster's website MSN Messenger
PostPosted: Tue Aug 23, 2005 1:49 pm Reply with quote
lunix
Regular user
Regular user
 
Joined: Aug 17, 2005
Posts: 16




kizkur wrote:
functions.php?f=1337&function=lock_thread this in phpbb not work

you are sure?

i have proben /modcp.php?t=2&mode=lock and it does not work either

thx

It was just an example of a possability.

On phpbb the most you can do it log them out by the looks of it.
View user's profile Send private message Visit poster's website
PostPosted: Sat Aug 27, 2005 7:06 pm Reply with quote
topmsg
Beginner
Beginner
 
Joined: May 17, 2004
Posts: 1




Any solution to patch de phpBB 2.0.17 code?
View user's profile Send private message
PostPosted: Sat Aug 27, 2005 9:58 pm Reply with quote
shai-tan
Valuable expert
Valuable expert
 
Joined: Feb 22, 2005
Posts: 477




I think this problem cant be fixed on the 3rd party script side.....

_________________
Shai-tan

?In short: just say NO TO DRUGS, and maybe you won?t end up like the Hurd people.? -- Linus Torvalds
View user's profile Send private message
PostPosted: Mon Aug 29, 2005 10:03 am Reply with quote
Neverhood
Regular user
Regular user
 
Joined: Aug 29, 2005
Posts: 13




is there a way to hack PHPBB 2.0.17? because i have tried everything and didnt worked
View user's profile Send private message
PostPosted: Mon Aug 29, 2005 9:35 pm Reply with quote
justlooking
Beginner
Beginner
 
Joined: Aug 30, 2005
Posts: 2




Hi, I'm trying to use this vulnerability to get the forum to open my web page in the forum users browser.

I have tried saving my page as index.htm and putting it into the signature.jpg folder but this does not work.

Now I am thinking that I should have some php code saved as my index.htm and that this code should open the page in their browser. It would be similar to the code that is being used to log users out, only it would load my page instead.

I do not know any PHP so could someone please help me and post some code that would do this. I want to open my page in the existing window, not in a new window. Thanks
View user's profile Send private message
PostPosted: Tue Sep 13, 2005 7:48 pm Reply with quote
robin1200
Regular user
Regular user
 
Joined: Sep 13, 2005
Posts: 19




subzero wrote:
nice discussion over here.
first of all,no need to fight or flaming just because of small thing.

releasing poc for it,for those dont believe it. try it out

make yourself a folder .. like darkclaw said.
rename the folder to signature.jpg
this will trick bbcode that its an image file.

example http://sitewithcode/signature.jpg

inside that folder .. put this code ..
and rename it to index file.

Quote:
<?php
header("Location: http://exploit.host/phpBB/login.php?logout=true");
exit;
?>


this will make every visitor getting logout when they viewing the thread that
have image linked to this or maybe delete the posting using admin privileage once admin view it. Always better to PM admin to make sure its work .Wink



is there anyway we can generate this code via avatar but with a valid picuture (embeded with the xss code) so we can get rid of the X when the code is generaded...

or, how do I make it invisible?

robin
View user's profile Send private message
PostPosted: Tue Sep 13, 2005 9:08 pm Reply with quote
lunix
Regular user
Regular user
 
Joined: Aug 17, 2005
Posts: 16




robin1200 wrote:
subzero wrote:
nice discussion over here.
first of all,no need to fight or flaming just because of small thing.

releasing poc for it,for those dont believe it. try it out

make yourself a folder .. like darkclaw said.
rename the folder to signature.jpg
this will trick bbcode that its an image file.

example http://sitewithcode/signature.jpg

inside that folder .. put this code ..
and rename it to index file.

Quote:
<?php
header("Location: http://exploit.host/phpBB/login.php?logout=true");
exit;
?>


this will make every visitor getting logout when they viewing the thread that
have image linked to this or maybe delete the posting using admin privileage once admin view it. Always better to PM admin to make sure its work .Wink



is there anyway we can generate this code via avatar but with a valid picuture (embeded with the xss code) so we can get rid of the X when the code is generaded...

or, how do I make it invisible?

robin

I dont think its possible because the headers sent would need to be for an image and not for a redierect.
as far as i know you wont be able to send both image AND redirect headers from the same script.

_________________
View user's profile Send private message Visit poster's website
PostPosted: Wed Sep 14, 2005 1:38 pm Reply with quote
robin1200
Regular user
Regular user
 
Joined: Sep 13, 2005
Posts: 19




How about hiddig the code?... the same way they did it with the cookie stealer script?

come on guys... there's got to be a way so we don't expose the code to the admin...

Embarassed
View user's profile Send private message
PostPosted: Wed Sep 14, 2005 3:52 pm Reply with quote
Unicorn
Regular user
Regular user
 
Joined: Jul 17, 2005
Posts: 14




It is possible:
Code:

[color = FFFFF][img]http://yoursite.com/ohfuckyoureloggedoff.jpg[/img][/color]
View user's profile Send private message Visit poster's website
PostPosted: Wed Sep 14, 2005 10:16 pm Reply with quote
robin1200
Regular user
Regular user
 
Joined: Sep 13, 2005
Posts: 19




nope!

this code still shows an ugly x



Quote:
View user's profile Send private message
PostPosted: Wed Sep 14, 2005 10:48 pm Reply with quote
lunix
Regular user
Regular user
 
Joined: Aug 17, 2005
Posts: 16




you cant do it because it looks for an image, and dosnt find an image.
Its a function of the browser.

If the browser looks for an image and finds no image data or headers it displpays the red X.

You cant include image headers in the script because you need to send redirect headers.

_________________
View user's profile Send private message Visit poster's website
PostPosted: Thu Sep 15, 2005 6:04 am Reply with quote
Unicorn
Regular user
Regular user
 
Joined: Jul 17, 2005
Posts: 14




Ok here it goes :


Last edited by Unicorn on Thu Sep 15, 2005 8:12 am; edited 3 times in total
View user's profile Send private message Visit poster's website
phpBB 2.0.17 and most likely below
  www.waraxe.us Forum Index -> PhpBB
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 4 of 5  
Goto page Previous  1, 2, 3, 4, 5  Next
  
  
 Post new topic  Reply to topic  




Powered by phpBB 2001-2008 phpBB Group






Film DVD comments and reviews
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2013 Janek Vind "waraxe"
Page Generation: 0.090 Seconds