lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050314042606.8197.qmail@www.securityfocus.com>
Date: 14 Mar 2005 04:26:06 -0000
From: Rift <Sean@...e-web.com>
To: bugtraq@...urityfocus.com
Subject: [XSS] paBox 2.0




pabox 2.0 no longer includes the Date and Time parameters in the POST data sent with your shout.  The date and time parameters in previous versions were vulnerable to a cross site scripting attack.  Now however in version 2.0 if you setup paBox to include an icon with your topic... eg:

:winkface: posted By SomePerson on 3/10/05 04:11 PM
<message follows here>


the parameter in the form that lets you select which 'smilie' to use as an icon for your post is prone to a script injection attack.  the specific parameter used is:

<INPUT type=radio CHECKED value="wink.gif" name=posticon>

where wink.gif becomse the value of the src attribute of the <img> tag when your post is submitted.  by simply altering wink.gif, or adding another instance of this parameter, you can inject your own code into the value of the new parameter.  eg:

<INPUT type=radio CHECKED value="&quot;>&lt;script&gt;document.write(document.cookie);&lt;/script&gt;" name=posticon>click me

simply check the radio button that reads 'click me' then submit your form as normal, and the code will be injected into the shoutbox.  Not everyone running version 2.0 of pabox seems to have this feature enabled, however from a quick search id say it's about 70% of the users that do have it enabled.  the official demonstration page for paBox 2.0 can be found at the phparena.net website.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ