Re: [Full-disclosure] BBCode [IMG] [/IMG ] Tag Vulnerability
There is a very similar trick: Often you also can take over PHP-session and get authentificated as another user, if you just log referers of an image loaded using [IMG][/IMG]. The user needs to have disabled cookies so that the PHPSESSION is set in URL. This can be done automatically using a little Perl/PHP-Script. You can use regex to parse out which useraccount you compromised. If it was an administrator or moderator you could delete posts or kick users. Greetings, Jan _ Mit der Gruppen-SMS von WEB.DE FreeMail können Sie eine SMS an alle Freunde gleichzeitig schicken: http://freemail.web.de/features/?mc=021179 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] BBCode [IMG] [/IMG ] Tag Vulnerability
alrighty, How can this be done with header location being called in the middle of the page? img src=http://www.site.biz/test/test.jpg; border=0 / Tested on phpbb 2.0.17 default install with a no go. /str0ke On 8/21/05, h4cky0u [EMAIL PROTECTED] wrote: Hi, Saw this one on www.waraxe.us (Discovered by Easyex) and i was thinking if there are some more possibilities using the method described. The POC below is for phpBB. - == make yourself a folder on your host rename the folder to signature.jpg this will trick bbcode that its an image file. example http://sitewithmaliciouscode/signature.jpg inside that folder .. put this code .. and rename it to index.php file. Quote: ?php header(Location: http://hosttobeexploited/phpBB/login.php?logout=true;); exit; ? this will make every visitor getting logout when they view the thread that have image linked to this. === This seems to be working on almost all the scripts using BBcode. Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the image link to the folder with the malicious code as the forum signature. What i was wondering is there anything more serious than logging out the users that can be done with this? The admin folders of ipb and phpbb need reauthentication. So nothing serious for them but anything more innovative that could be done? And any way to fix this? Regards, -- http://www.h4cky0u.org (In)Security at its best... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] BBCode [IMG] [/IMG ] Tag Vulnerability
Hi, Saw this one on www.waraxe.us (Discovered by Easyex) and i was thinking if there are some more possibilities using the method described. The POC below is for phpBB. - == make yourself a folder on your host rename the folder to signature.jpg this will trick bbcode that its an image file. example http://sitewithmaliciouscode/signature.jpg inside that folder .. put this code .. and rename it to index.php file. Quote: ?php header(Location: http://hosttobeexploited/phpBB/login.php?logout=true;); exit; ? this will make every visitor getting logout when they view the thread that have image linked to this. === This seems to be working on almost all the scripts using BBcode. Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the image link to the folder with the malicious code as the forum signature. What i was wondering is there anything more serious than logging out the users that can be done with this? The admin folders of ipb and phpbb need reauthentication. So nothing serious for them but anything more innovative that could be done? And any way to fix this? Regards, -- http://www.h4cky0u.org (In)Security at its best... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/