lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
From: full at oakey.no-ip.com (full@...ey.no-ip.com)
Subject: Cross Site Scripting Advisory.

uk2sec Search Tool Cross Site Scripting Advisory
by c0w_d0g3

[ We would just like to say hello to the list as is our first post ]

uk2sec@...ey.no-ip.com


== Advisory ==

Many many websites run a 'site search' tool on their webpage with a URL  
that looks like this:

/search/index.cfm

I am having trouble locating a specific vendor, but according to windows
the possible applications that may run it are:

  .CFM  Corel FontMaster
        Cold Fusion Template File
        Visual dBASE Windows Customer Form

Furthermore, 100% of all the systems we have tested are running IIS/4.0 or 
IIS/5.0.

A quick search on google returns about 165'000 hits for the search tool.

To connect directly to the search tool - its usually:

http://www.example.com/search/index.cfm 


There are several ways to demo the Cross Site Scripting problem.

The first is connect directly to the /search/index.cfm page and in the 
search box type:

<script>alert("uk2sec")</script>

And that works.


Sometimes however you need to change this slightly to:

http://www.example.com/search/index.cfm?<script>alert("uk2sec")</script>

And connect...  (it will still give you the same page)

And then in the search box (there may be more than one box for detailed 
searches but just fire it into any) type:

<script>alert("uk2sec")</script>

Press enter to search, and it'll work.


This was tested on Multiple browsers as well (mozilla, IE, konqueror).

Live examples are not allowed on this list, however its not hard to find 
somewhere to test it.

Points to consider - sometimes the java script in the URL you request, must 
be the same script as the one you put in the search box (or thats just 
what we found on one site we tested).


Regards,

c0w_d0g3
uk2sec


c0w_d0g3@...oo.co.uk

Members:

c0w_d0g3, deadbeat.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ