https://www.exploit-db.com/exploits/21486
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200210-126

PHPBB2是一款由PHP编写的Web论坛程序，可使用在Unix和Linux操作系统下，也可使用在MicrosoftWindows操作系统下。PHPBB2在处理图象标记中的数据缺少正确充分的检查，可导致远程攻击者进行HTML代码插入攻击。PHPBB2可以使用[img][/img]代替HTML代码支持图象操作，但是PHPBB2对用户提交给[img][/img]标记的数据缺少正确检查和过滤，由于BBCode在转译'”‘符号时表示HTML标记的结束，攻击者可以在图象标记中插入'”‘号并在'”‘号后插入任意HTML代码或JavaScript代码后发表在论坛中，当论坛用户浏览此包含恶意代码的链接时，就可以使脚本代码在浏览用户浏览器上执行，攻击者获得用户基于Cookie认证的敏感信息。

source: http://www.securityfocus.com/bid/4858/info


It is possible to inject arbitrary HTML into phpBB2 forum messages via the use of BBCode image tags. A similar issue is described in Bugtraq ID 4379 "PHPBB Image Tag User-Embedded Scripting Vulnerability". However, phpBB2 was found to not be vulnerable to this previous issue.

A double-quotation (") character may be used to close the HTML statement that is created when the BBCode is translated. The attacker may then include arbitrary HTML after the double-quotation.

The attacker may exploit this issue to inject script code into forum messages. When such messages are displayed by a web user, the attacker's script code will execute in their browser in the context of the website.

phpBB versions prior to the phpBB2 series may also be affected by this vulnerability. 

[img]http://a.a/a"onerror="javascript:alert(document.cookie)[/img]

来源:BID
名称:4858
链接:http://www.securityfocus.com/bid/4858
来源:XF
名称:phpbb-bbcode-image-css(9178)
链接:http://www.iss.net/security_center/static/9178.php
来源:BUGTRAQ
名称:20020526CrossSiteScriptingVulnerabilityinphpBB2’s[IMG]tagandremoteavatar
链接:http://online.securityfocus.com/archive/1/274273