lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.44.0511301917470.21839-100000@bugsbunny.castlecops.com>
Date: Wed, 30 Nov 2005 19:34:07 -0500 (EST)
From: Paul Laudanski <zx@...tlecops.com>
To: bugs@...uritytracker.com, <bugtraq@...urityfocus.com>,
        <moderators@...db.org>, <news@...uriteam.com>,
        <vuldb@...urityfocus.com>, <vuln@...unia.com>,
        <vulnwatch@...nwatch.org>
Subject: XSS & Header Injection in Drupal and vBulletin


A fake image header with actual html body content was able to get past
phpbb's input validation.  An exploit was issued for phpbb a month ago and
that sparked me to check some other webapps.

vbulletin 3.5.0 forum file attachments did not sanitize against this, as a
result Jelsoft quickly issued release 3.5.1 as a fix.  Other branches were 
also fixed up to 3.0.10 and 2.3.8.

http://www.vbulletin.com/forum/showthread.php?postid=1002384

"The first flaw is in Microsoft Internet Explorer. It affects vBulletin 
image uploads and potentially opens a cross-site-scripting exploit. It has 
affected many web-based applications that allow image uploads, including 
phpBB and Hotmail. Although a fix from Microsoft would be preferable, we 
have implemented a work-around in all three branches of vBulletin to 
prevent the Internet Explorer flaw from being exploited."

drupal 4.6.3 was also tested and found to be vulnerable as well.

http://drupal.org/node/39355

"Paul Laudanski informed us that it's possible to attach files that are 
able to run Javascript under Internet Explorer.

Further investigation of the problem revealed that the same method can be 
used to inject arbitrary HTTP headers."

Subsequently, all branches were fixed up to: 4.5.6, and 4.6.4.  However, 
PHP 4.3.0 is also required in this solution.

Credit: CastleCops.com 
-- 
Paul Laudanski, Microsoft MVP Windows-Security 
[de] http://de.castlecops.com 
[en] http://castlecops.com 
[wiki] http://wiki.castlecops.com 
[family] http://cuddlesnkisses.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ