Re: [Full-disclosure] BBCode [IMG] [/IMG ] Tag Vulnerability

["milw0rm Inc." <milw0rm@xxxxxxxxx>]

alrighty,

How can this be done with header location being called in the middle
of the page?

<img src="http://www.site.biz/test/test.jpg"; border="0" /> 

Tested on phpbb 2.0.17 default install with a no go.

/str0ke

On 8/21/05, h4cky0u <h4cky0u.org@xxxxxxxxx> wrote:
> Hi,
> 
> Saw this one on www.waraxe.us (Discovered by Easyex) and i was
> thinking if there are some more possibilities using the method
> described. The POC below is for phpBB. -
> 
> ==========
> make yourself a folder on your host
> rename the folder to signature.jpg
> this will trick bbcode that its an image file.
> 
> example http://sitewithmaliciouscode/signature.jpg
> 
> inside that folder .. put this code ..
> and rename it to index.php file.
> 
> Quote:
> <?php
> header("Location: http://hosttobeexploited/phpBB/login.php?logout=true";);
> exit;
> ?>
> 
> this will make every visitor getting logout when they view the thread that
> have image linked to this.
> ===================
> 
> 
> This seems to be working on almost all the scripts using BBcode.
> Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the
> image link to the folder with the malicious code as the forum
> signature. What i was wondering is there anything more serious than
> logging out the users that can be done with this? The admin folders of
> ipb and phpbb need reauthentication. So nothing serious for them but
> anything more innovative that could be done? And any way to fix this?
> 
> Regards,
> --
> http://www.h4cky0u.org
> (In)Security at its best...
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/