lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri Jun 9 20:55:44 2006 From: se_cur_ity at hotmail.com (Morning Wood) Subject: ASPListPics - EXPL-A-2006-003 exploitlabs.com Retro Advisory 001 - - ASPListpics - RETRO-RELEASE DATE: =================== Nov 11, 2004 Duplicate Release: June 06, 2006 by: r0t http://pridels.blogspot.com/2006/06/asp-listpics-43-xss-vuln.html http://secunia.com/advisories/20517/ OVERVIEW ======== ASPListpics is a highly configurable ASP application that automatically generates fast thumbnail web indexes of images in a folder structure. AFFECTED PRODUCTS ================= ASPListpics 4.x http://www.iisworks.com DETAILS ======= 1. XSS ( persistant ) PROOF OF CONCEPT LINKS AND RETRO-POC ===================================== 1. XSS ( Cross Site Scripting ) There is persistant XSS inclusion in the "comments" feature of ASPListpics in the following: field "name" field "comment" By embedding various types of XSS into the comment section, we are able to render javascript in the users browser. below is a simple PoC ( Proof of Concept ) enter into the "comments" section malicious script. comment: ohno<iframe src="http://whatismyip.com"></iframe>ouch and is rendered as: HTTP://[VUNERABLEHOST]/listpics/listpics.asp?a=rate&ID=[PICID]&Info=< SCRIPTING HERE >9000|0 CREDITS ======= r0t - http://pridels.blogspot.com/2006/06/asp-listpics-43-xss-vuln.html RETRO-CREDITS ============= This vulnerability was discovered and researched by Donnie Werner of exploitlabs. At the original time of discovery and retro-release date, the author was not aware of any other advisories or patches available. Retro-Advisories are released when either the same research is released by a 3rd party, old private research that is no longer active, or the product has been patched due to Vendor updates before a formal Exploitlabs advisory was released to the public. Donnie Werner wood@...loitlabs.com morning_wood@...e-h.org -- web: http://exploitlabs.com
Powered by blists - more mailing lists