lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: illectro2001 at yahoo.com (Chris Sharp)
Subject: XSS In mldonkey - But....

Mldonkey is an open source p2p client which supports a
load of networks, it doesn't have a built in UI, you
can telnet into it, or there's a web interface which
can be accessed from http://127.0.0.1:4080/ (or
whatever port you configure it to run on)

They've done a great job at making sure there's no XSS
issues, especially with data coming from the network.
You can inject scripts into the html error page rather
trivially using
http://127.0.0.1:4080/<script>...</script>


But who cares? There are far more dangrous things you
can do if you can make the mldonkey go to URL's for
example....
http://localhost:4080/submit?setoption=q&option=allowed_ips&value=255.255.255.255
This will unlock the IP based access control, suddenly
everyone in the world can access the search interface.


The whole control system is via http, you can search,
download, whatever all via http. If you can get the
user to go to arbitrary URL's then you can do
dangerous things directly without having to resort to
XSS, although the XSS does have some uses in terms of
automating multiple requests. 

Being really Evil is left as an exercise for the
reader.

Now, if there were some method to inject html via
responses to a p2p search, then the whole thing would
be a little more interesting. Some media files may
contain embedded URL's, that may be an interesting way
of delivering payloads across a P2P network. 

So, at the very least the web iterface should include
some referrer checking to ensure that commands aren't
being generated from untrusted pages. This is a
general problem with any application controlled via
web interfaces.

Chris



__________________________________
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ