lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 22 Jan 2004 13:25:27 +0400 From: "Ed J. Aivazian" <stealth@...inco.com> To: bugtraq@...urityfocus.com Subject: TBE - the banner engine server-side script execution vulnerability WHAT ============================== TBE - the banner engine is a banner exchange system widely used in Russia and countries of the former USSR. TBE has all the basic features required for a beginner banner exchange network and together with its low cost TBE got pretty popular. Company: Native Solutions Author: Ivan Stanislavsky URL - http://www.native.ru STATUS ============================== Author notified, no reply yet WHERE ============================== html banner view/preview HOW ============================== TBE's html banner create feature does not make any checking and passes the users input directly into a file, named /bn/tbe-$user_id-$banner_id.html With some configurations (especially web-hosting companies) where .html files are interpreted by the web-server as application/x-httpd-XXX, the code, written into the html banner by an attacker will be executed every time the banner is previewed or viewd. VESRIONS AFFECTED ============================== Tested on TBE5, possibly all other versions that have html banner implementation EXAMPLE ============================== I was a bit lazy this morning, so put something like this: http://vision.am/~stealth/tbe1.jpg And got this: http://vision.am/~stealth/tbe2.jpg The code is displayed in an iframe, so there is no difficulty to scroll the window RISK ============================== web server privileges (danger varies depending on configuration) -- Cheers, ed
Powered by blists - more mailing lists