lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <E1A6bbJ-000Iig-00.nimber-mail-ru@f21.mail.ru>
Date: Tue, 07 Oct 2003 00:05:01 +0400
From: "nimber"  <nimber@...l.ru>
To: bugtraq@...urityfocus.com
Subject: JS/HTML code injection in File-Sharing for NET v1.5 and Forums Web Server v1.5


+-----------------------------+
Advisories: JS/HTML code injection in File-Sharing for NET v1.5 and Forums Web Server v1.5
Author: nimber [nimber@...l.ru]
Date: 10/06/2003
+-----------------------------+
Vendor: http://www.minihttpserver.net
Version: 1.5 (and older versions?) 
Shareware :)
Mini-description [for File-Sharing for NET v1.5]:
"File Sharing for net is a complete, secure web server that shares your business documents 

and files over the web: remote users only need browsers to view your files. Share, transfer 

files securely with colleagues."
Mini-description [for Forums Web Server v1.5]:
"WebForums Server allows you to setup a bulletin board and photo/file exchange web service. 

It offers a built in HTTP engine, internal database engine, integrated HTML/Script pages, 

user management interface, message board engine and a secure file Upload/Download option. 

It is without a doubt the easiest and complet all in one Forum Server software you have 

seen." [The information from a site www.minihttpserver.net]
+-----------------------------+
Problem:

These two products, from one vendors, use the similar built - in forum (BBS). 
I think, that Forums Web Server v1.5 is the easy version of the program File-Sharing for 

NET. 
I have found vulnerability in the built - in forum of both programs. 
In the program File-Sharing for NET v1.5, at addition of the new message there is no 

filtration entered given in fields "Subject:" and "Your message:". It enables inserts any 

JS/HTML of a code.
For example:

<script> alert (document.cookie); </script>

In the program Forums Web Server v1.5, there is no filtration only in a field "Subject:", 

in a field "Your message:" the symbol < is replaced on "<".

+-----------------------------+

For contacts:
nimber
icq: 132614
e-mail: nimber@...l.ru
Home Page: nimber.plux.ru

Greets: ZeT,euronymous,JLx and all my friends.
Hi to teams: zud team, void.ru, RusH Team, m00 security,
eXploit.ru,LWTeam, F0K Project,Free-Crew.
 
p.s> Sorry for my bad english ;)

(0_o(0_o)0_o)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ