| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Sep 8 16:43:03 2005
From: se_cur_ity at hotmail.com (Morning Wood)
Subject: mimicboard2
- EXPL-A-2005-013 exploitlabs.com Advisory 042 -
- mimicboard2 -
AFFECTED PRODUCTS
mimicboard2 #086 < and lower
http://www.chitta.com/nobu/download/#mimic2
OVERVIEW
Mimic2 is a html open forum type of blog, tailored in
particular to the Japaneese market ( and is very popular )
DETAILS
1. XSS
Mimic2 does not properly filter malicious script content.
XSS my be inserted in the name, title and comment sections,
and is persistant in nature.
The malicious script is the rendered upon visitation and
is executed in the context of the users brower.
2. information disclosure
http://[host]/mimic2.dat is viewable via the webroot and has
no protection by default. mimic2 stores data in this file
consisting of:
a. administrator passwords
b. user information including refer ip address, message content
and password if one was used in the post.
POC
1.
input malicious iframe script into the
comment, title and name sections.
http://[host]/mimic2.cgi
eg:<iframe src="[attacker url]"></iframe>
2.
the password(s) are easily crackable as evidenced by:
mimic2.dat
echo mimic board2:Fdtr67zbisXVA:13 >mimic2.txt
john -w:password.lst mimic2.txt
Loaded 1 password (Standard DES [24/32 4K])
password (mimic board2)
SOLUTION:
vendor contact:
nobu@...imaginet.ne.jp Aug 24, 2005
no response as of Sept 8, 2005
Credits
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs
mail: wood at exploitlabs.com
mail: morning_wood at zone-h.org
web: http://exploitlabs.com
web: http://zone-h.org
Powered by blists - more mailing lists