lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 22 Jan 2004 13:25:27 +0400
From: "Ed J. Aivazian" <stealth@...inco.com>
To: bugtraq@...urityfocus.com
Subject: TBE - the banner engine server-side script execution vulnerability


WHAT
==============================
TBE - the banner engine is a banner exchange system widely used in
Russia and countries of the former USSR.
TBE has all the basic features required for a beginner banner exchange
network and together with its low cost TBE got pretty popular.

Company: Native Solutions
Author: Ivan Stanislavsky
URL - http://www.native.ru


STATUS
==============================
Author notified, no reply yet


WHERE
==============================
html banner view/preview


HOW
==============================
TBE's html banner create feature does not make any checking and passes
the users input directly into a file, named
/bn/tbe-$user_id-$banner_id.html
With some configurations (especially web-hosting companies) where
.html files are interpreted by the web-server as
application/x-httpd-XXX, the code, written into the html banner by an
attacker will be executed every time the banner is previewed or viewd.


VESRIONS AFFECTED
==============================
Tested on TBE5, possibly all other versions that have html banner
implementation


EXAMPLE
==============================
I was a bit lazy this morning, so put something like this:
http://vision.am/~stealth/tbe1.jpg

And got this:
http://vision.am/~stealth/tbe2.jpg
The code is displayed in an iframe, so there is no difficulty to scroll
the window


RISK
==============================
web server privileges (danger varies depending on configuration)



-- 
Cheers,
ed



Powered by blists - more mailing lists