Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
None
-
PHP : 5.2.3 , MYSQL:5.0.45
OP ; Win 7 , Browser : FireFox ..
Description
By this serious bug the attacker can steal the sid of the victim . by checking the referer URL ..
In popular topics , the number of victims maybe hundreds !!!
How to do it ??!
As we can see in the attached image file , the sid obtained the the URL in many places , after actions like browsing the post before sending it , of browsing the PMs ..
Then if you posted an URL such as : anysite/anything/image.php that returns an IMAGE that should be viewed in the post , but before the request has finished , the image.php file will check and store the REFERER URL of the member who Clicked BROWS button that contains the SID !! ..
EX:
Try to post an image via bbcode : [img]yousite/image.php[/img] that image.php does what i mentioned above.
Every member who clicks Brows button before posting, will se the previous posts are loaded below the posting form , and so the post that contains our file "image.php" will be loaded too , and then a request to "image.php" will be made ,then the referer that contains the SID was sent too with the request .
I call this BUG "O-C-K" or One Click Kill ..
Thanks a lot ...
BlzOfHK
Bye..
