lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060429192757.19377.qmail@securityfocus.com>
Date: 29 Apr 2006 19:27:57 -0000
From: r0xes.ratm@...il.com
To: bugtraq@...urityfocus.com
Subject: W-Agora 4.20 XSS


PLEASE NOTE: I am not sure if HTML is an option. I looked through the Administration panel and did not see an option for it, and the fact that there is no BBcode leads me to believe that this is the method of BBCode/etc.

W-Agora is a fairly 'nice' bulletin board written in PHP. It allows multiple 'boards' (i.e. one with my forums and then one with yours) and has a nice administration panel.

EXPLANATION:

Also, W-Agora allows users to post HTML - not everything you'd think, as things like script, frame, body, html, etc are stripped. It also strips out 'on' anything, so you'd think that you cannot execute code -- right?

No. The regex to clean out 'on'anything is like this:
[code]' on([a-zA-Z]*)?=(.*)?'[/code]

If you don't see the problem, let me explain:
The filter expects that the = will come RIGHT after the On*! Therefore, if we put a space between it and the =, we do not match up against it and it will let it pass!

Example:
[code]<b onMouseOver =eval('alert(/xss/)')>hi</b>[/code]

This renders both in IE & Firefox. =D



USAGE:
Since W-Agora can be configured to either set all userinfo in cookies or completely rely on sessions, this is mixed. If you find a site that uses cookies, you could use this to steal them.

Shouts: digi7al64 - PrOtOn - Lockdown - WhiteAcid

Video @ http://dynxss.whiteacid.org/videos/w-agora420xss.rar :: 899kb


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ