phpbb tags phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin (1 viewing) (1) Guests
Favoured: 0
|
|
|
TOPIC: phpbb tags phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin
|
|
|
|
phpbb tags phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin
|
|
|
|
|
|
|
|
|
|
The administrator has disabled public write access. |
|
|
|
phpbb tags phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin
|
|
|
1. Basically all phpBB admin-side options do allow full HTML, including _java_script__. That is the intended behaviour, as there are legitimate uses. phpBB does however check the Session ID before allowing the changes to go to the data_base_. Your exploit needs a valid admin session key and you need to get the admin to visit the page (unless you happen to have a lot of luck with your IP)- be it by a _link_ or a reflecting page. And even then, it will only work, when the admin has logged into the ACP prior to running into the trap. 2. That is a general problem with all pages allowing of-site pictures. It has been discussed on the list before. Most of your examples won't work with phpBB, due to the missing Session ID in the _link_s. - Hide quoted text -- Show quoted text -
|
|
|
|
|
|
|
The administrator has disabled public write access. |
|
|
|
phpbb tags phpBB 2.0.19 Cross Site Request Forgeries and XSS Admin
|
|
|
2. That is a general problem with all pages allowing of-site pictures. It has been discussed on the list before. Most of your examples won't work with phpBB, due to the missing Session ID in the _link_s.
|
|
|
|
|
|
|
The administrator has disabled public write access. |
|
|
|
Who's Online
We have 14 guests online
|
901 Pozycjonowanie noclegi zakopane pieluchomajtki kursy i szkolenia Kominki dachowe evening news walking pneumonia samochody rfn adventure tours target coupons
|
