[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1704098750.20040122132527@arminco.com>
Date: Thu, 22 Jan 2004 13:25:27 +0400
From: "Ed J. Aivazian" <stealth@...inco.com>
To: bugtraq@...urityfocus.com
Subject: TBE - the banner engine server-side script execution vulnerability
WHAT
==============================
TBE - the banner engine is a banner exchange system widely used in
Russia and countries of the former USSR.
TBE has all the basic features required for a beginner banner exchange
network and together with its low cost TBE got pretty popular.
Company: Native Solutions
Author: Ivan Stanislavsky
URL - http://www.native.ru
STATUS
==============================
Author notified, no reply yet
WHERE
==============================
html banner view/preview
HOW
==============================
TBE's html banner create feature does not make any checking and passes
the users input directly into a file, named
/bn/tbe-$user_id-$banner_id.html
With some configurations (especially web-hosting companies) where
.html files are interpreted by the web-server as
application/x-httpd-XXX, the code, written into the html banner by an
attacker will be executed every time the banner is previewed or viewd.
VESRIONS AFFECTED
==============================
Tested on TBE5, possibly all other versions that have html banner
implementation
EXAMPLE
==============================
I was a bit lazy this morning, so put something like this:
http://vision.am/~stealth/tbe1.jpg
And got this:
http://vision.am/~stealth/tbe2.jpg
The code is displayed in an iframe, so there is no difficulty to scroll
the window
RISK
==============================
web server privileges (danger varies depending on configuration)
--
Cheers,
ed
Powered by blists - more mailing lists