Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-10047

Session ID always included in URL on posting.php

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • 3.0.9-RC1
    • None
    • Sessions
    • None
    • PHP : 5.2.3 , MYSQL:5.0.45
      OP ; Win 7 , Browser : FireFox ..

      By this serious bug the attacker can steal the sid of the victim . by checking the referer URL ..
      In popular topics , the number of victims maybe hundreds !!!
      How to do it ??!
      As we can see in the attached image file , the sid obtained the the URL in many places , after actions like browsing the post before sending it , of browsing the PMs ..

      Then if you posted an URL such as : anysite/anything/image.php that returns an IMAGE that should be viewed in the post , but before the request has finished , the image.php file will check and store the REFERER URL of the member who Clicked BROWS button that contains the SID !! ..

      EX:
      Try to post an image via bbcode : [img]yousite/image.php[/img] that image.php does what i mentioned above.

      Every member who clicks Brows button before posting, will se the previous posts are loaded below the posting form , and so the post that contains our file "image.php" will be loaded too , and then a request to "image.php" will be made ,then the referer that contains the SID was sent too with the request .
      I call this BUG "O-C-K" or One Click Kill ..

      Thanks a lot ...
      BlzOfHK
      Bye..

        1. OCK.png
          OCK.png
          74 kB
        2. O-C-K.rar
          70 kB

            bantu Andreas Fischer [X] (Inactive)
            blzofhk blzofhk
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: