lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY14-F15uJqRclslvr00061197@hotmail.com>
Date: Tue, 16 Mar 2004 23:01:58 +0100
From: "Frog Man" <leseulfrog@...mail.com>
To: apple_soup@....com
Cc: bugtraq@...urityfocus.com
Subject: RE: YaBB/YaBBse Cross Site Scripting Vulnerability


Hello,
this hole was discovered on 29/02/04 and published in french here :
http://www.phpsecure.info/v2/tutos/frog/YaBBSE-XSSPermanent.txt
We were waiting an official security fix by the YabbSE team (since 1 month) 
to published the hole on some mailing-lists but they always didn't make 
anything.
Another security hole is :

[glow=red,2);background:url(javascript:[SCRIPT],300]text[/glow]

The new YabbSE-Team's project (SMF 1.0b http://www.simplemachines.org ) 
seems to be bugged too.

To fix these holes, you just have to replaced the lines :

--------------------------------------------------------------------------
			'/\[glow=(.+?),(.+?),(.+?)\](.+?)\[\/glow\]/eis',
			'/\[shadow=(.+?),(.+?)\](.+?)\[\/shadow\]/eis',
--------------------------------------------------------------------------

by :

-----------------------------------------------------------------------------------
			'/\[glow=([[:alpha:]]+?),(.+?),(.+?)\](.+?)\[\/glow\]/eis',
			'/\[shadow=([[:alpha:]]+?),(.+?)\](.+?)\[\/shadow\]/eis',
-----------------------------------------------------------------------------------

and the line :

-----------------------------------------------------------------------------------------------------------------------------
			"'<table style=\"border 0px;\"><tr><td style=\"filter:Glow(color=\\1, 
strength=' . ('\\2' < 255 ? '\\2' : '255') . ');\">' . \"\\4\" . 
'</td></tr></table>'",
-----------------------------------------------------------------------------------------------------------------------------

by :

-----------------------------------------------------------------------------------------------------------------------------
			"'<table style=\"border 0px;\"><tr><td style=\"filter:Glow(color=\\1, 
strength=' . intval( ('\\2' < 255 ? '\\2' : '255') ) . ');\">' . \"\\4\" . 
'</td></tr></table>'",
-----------------------------------------------------------------------------------------------------------------------------


in the file Sources/Subs.php.



A fix can be found on http://www.phpsecure.info



Sorry for my poor english,
Germain Randaxhe aka frog-m@n

http://www.phpsecure.info
http://www.security-corporation.com





>From: Cheng Peng Su <apple_soup@....com>
>To: bugtraq@...urityfocus.com
>Subject: YaBB/YaBBse Cross Site Scripting Vulnerability
>Date: 14 Mar 2004 07:52:07 -0000
>
>
>
>
>#####################################################################
>
>  Advisory Name : YaBB/YaBBse Cross Site Scripting Vulnerability
>   Release Date : Mar 14,2004
>    Application : YaBB/YaBBse
>        Test On : YaBB 1 Gold(SP1.3)
>                  YaBB SE 1.5.1 Final
>     Vendor URL : http://www.yabbforum.com/
>                  http://www.yabbse.org/
>       Discover : Cheng Peng Su(apple_soup_at_msn.com)
>
>#####################################################################
>
>   Proof of conecpt:
>       The problem is in [glow] and [shadow] tag,yabb doesn't filter
>    the charactor in this tag,attack needn't visitor to click any
>    links,just when the vistor read the thread,XSS code will be
>    executed.
>
>   Exploit:
>    [glow=red);background:url(javascript:alert(document.cookie));filte
>    r:glow(color=red,2,300]Big Exploit[/glow]
>    [shadow=red);background:url(javascript:alert(document.cookie));fil
>    ter:shadow(color=red,left,300]Big Exploit[/shadow]
>
>   Contact:
>    Cheng Peng Su
>    Class 1,Senior 2,High school attached to Wuhan University
>    Wuhan,Hubei,China(430072)
>    apple_soup_at_msn.com
>
>
>
>

_________________________________________________________________
L'horoscope zodiacale du jour http://www.fr.msn.be/horoscope



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ