On Mon, 2006-02-13 at 16:50 +1100, Geoff Crompton wrote: > Package: phpbb2 > Version: 2.0.13-6sarge2 > Severity: normal > > Seen at http://www.osvdb.org/22928. Their description is: > > phpBB contains a flaw that allows a remote cross site scripting attack. This > flaw exists because the application does not validate the 'smile_url' > variable > upon submission to the 'admin_smiles.php' script. This could allow a user to > create a specially crafted URL that would execute arbitrary code in a user's > browser within the trust relationship between the browser and the server, > leading to a loss of integrity. > > I don't know much about phpbb. I tried the "Manual Testing Notes" urls they > suggested, but it didn't work. But that is more likely because the forum I > tried it on had the "disabled" flag set.
If I understand it correctly, this is exploitable if you can convince an admin who's already logged into the admin section to open an URL with javascript, only if you have their admin session id. Although undesirable, it doesn't seem high priority to fix it: the admin should know better and you need to be quite lucky in your timing of the attack, but most importantly, it's very unlikely for an attacker to gain knowledge of a valid admin session id. Concluding, something to fix in for example a new version, but not something to worry about. Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
