Codebug Labs Advisory 08 - Topic Calendar 1.0.1 for phpBB is susceptible to cross site scripting attacks.
bc64b25734b4ce0cf4bc9f5202bb8cfb37448fc4e3c557f8b9dc7905a6e9b617*********************************************************************
* CODEBUG Labs
* Advisory #8
* Title: Multiple vulnerabilities in Topic Calendar 1.0.1 for phpBB
* Author: Alberto Trivero
* English Version: Alberto Trivero
* Product: Topic Calendar 1.0.1
* Type: Multiple Vulnerabilities
* Web: http://www.codebug.org/
*********************************************************************
--) Software Page (www.phpbb.com/phpBB/viewtopic.php?t=150857)
Topic Calendar is a quite widespread MOD for phpBB all version that will add a calendar
to the board, using topics as event. The authorizations are managed at forums, groups
and users level, as the standard phpBB auths.
--) Full Path Disclosure
If phpBB is running on a Microsoft IIS Server, it's possible to obtain the full path by
sending simples requests like these:
http://www.example.com/phpbb/calendar_scheduler.php%5C
http://www.example.com/phpbb/calendar_scheduler.php?d=-1
Note that these requests doesn't works under the others webservers like Apache.
--) Cross-Site Scripting (XSS)
Let's look at code from calendar_scheduler.php at line 82:
<?
...
if ( isset($HTTP_POST_VARS['start']) || isset($HTTP_GET_VARS['start']) )
{
$start = isset($HTTP_POST_VARS['start']) ? $HTTP_POST_VARS['start'] : $HTTP_GET_VARS['start'];
}
...
?>
and at line 375:
<?
...
$s_hidden_fields .= '<input type="hidden" name="start" value="' . $start . '" />';
...
?>
$start is a variable that can be controlled by a remote user, and, as we can see, there
isn't any control on she, so anyone con inject some HTML code like:
"><script>alert(document.cookie)</script>
that will change the HTML line in:
<input type="hidden" name="start" value=""><script>alert(document.cookie)</script>" />
executing the <script>...</script> tag that show, in this case, the cookies.
This is the complete URL:
http://www.example.com/phpbb/calendar_scheduler.php?start=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
--) Patch
To fix the XSS bug we can use the function intval() at line 85 of calendar_scheduler.php:
<?
...
if ( isset($HTTP_POST_VARS['start']) || isset($HTTP_GET_VARS['start']) )
{
$start = isset($HTTP_POST_VARS['start']) ? $HTTP_POST_VARS['start'] : $HTTP_GET_VARS['start'];
$start = intval($start)
}
...
?>
*********************************************************************
http://www.codebug.org/
*********************************************************************
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed