#34224 [Opn->Bgs]: vBulletin 3.0.7 and PHPBB 2.0.17 BBCode [IMG] [/IMG ]: Tag Vulnerability

Tue, 23 Aug 2005 23:48:07 -0700 

 ID:               34224
 Updated by:       [EMAIL PROTECTED]
 Reported By:      stopavto-work at yahoo dot com
-Status:           Open
+Status:           Bogus
 Bug Type:         Unknown/Other Function
 Operating System: any
 PHP Version:      4.4.0
 New Comment:

Sure, that's PHP - but that is a feature, not a bug. It's up to the
applications to filter this out themselves.


Previous Comments:
------------------------------------------------------------------------

[2005-08-23 23:58:17] stopavto-work at yahoo dot com

You want to say that code:
<?php 
header("Location:
http://hosttobeexploited/phpBB/login.php?logout=true";); 
exit; 
?>
is not php???
And that if I use:
<img src="http://sitewithmaliciouscode/signature.jpg";>
that will move to http://sitewithmaliciouscode/signature.jpg/index.php

Where "index.php" is that obove code it is not connected with php
language?

Then may be you explain to me with what <?php ?> and index.php and <ims
src=""> ate connected with?
Some words like "post method" can be helpful some how I think.
Thanks

------------------------------------------------------------------------

[2005-08-23 22:42:27] [EMAIL PROTECTED]

This has totally nothing to do with the PHP language itself.

------------------------------------------------------------------------

[2005-08-23 22:24:59] stopavto-work at yahoo dot com

Description:
------------
vBulletin 3.0.7 and PHPBB 2.0.17 BBCode [IMG] [/IMG ]: Tag
Vulnerability

vBulletin 3.0.7 and PHPBB 2.0.17 BBCode [IMG] [/IMG ]: Tag
Vulnerability 

08/22/2005 

Saw this one on www.waraxe.us (Discovered by Easyex) and i was 
thinking if there are some more possibilities using the method 
described. The POC below is for phpBB. - 

make yourself a folder on your host 
rename the folder to signature.jpg 
this will trick bbcode that its an image file.

example http://sitewithmaliciouscode/signature.jpg 


inside that folder .. put this code .. 
and rename it to index.php file. 


Quote: 
<?php 
header("Location:
http://hosttobeexploited/phpBB/login.php?logout=true";); 
exit; 
?> 


this will make every visitor getting logout when they view the thread
that 
have image linked to this. 

This seems to be working on almost all the scripts using BBcode. 
Successfully tested on vBulletin 3.0.7 and phpBB 2.0.17 when used the 
image link to the folder with the malicious code as the forum 
signature. What i was wondering is there anything more serious than 
logging out the users that can be done with this? The admin folders of

ipb and phpbb need reauthentication. So nothing serious for them but 
anything more innovative that could be done? And any way to fix this? 

Regards, 

-- 
http://www.h4cky0u.org 
(In)Security at its best...



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=34224&edit=1

Reply via email to