lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20060523025036.18131.qmail@securityfocus.com>
Date: 23 May 2006 02:50:36 -0000
From: webmaster@...tiney.com
To: bugtraq@...urityfocus.com
Subject: Re: Destiney Rated Images Script v0.5.0 - XSS Vulnv



> Effected Files:

You mean affected?  `Effected` is not a word.


> addWeblog.php

I pasted the following example XSS code into both form fields, and saw no evidence of XSS vulnerabilities:

<DIV STYLE="background-image: url(javascript:alert('XSS'))">

<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">

<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">

<DIV STYLE="width: expression(alert('XSS'));">


Did you have an example of a <div> tag that works?


> leaveCommentReply.php

Since the same form input cleansing code is in place for all forms and incoming GPC data site-wide, I did not test this form page.


> stats.php
> 
> ------
> 
> stats.php Exploit:
> 
> SQL Injection of stats.php leads to full path disclosures.
> 
> Example:
> 
> http://www.example.com/stats.php?s=SELECT SUM( rating )FROM ds_image_ratings
> WHERE created ='x'
> 
> Notice: Undefined variable: scriptName in
> /home/destiney/domains/ratedsite.com/public_html/stats.php on line 624
> 
> Notice: Undefined variable: alt in
> /home/destiney/domains/ratedsite.com/public_html/stats.php(640) : > eval()'d code on line 4
> 
> Notice: Undefined variable: desc in
> /home/destiney/domains/ratedsite.com/public_html/stats.php(640) : eval()'d code on line 8

Full path disclosure only occurs when the error reporting level $GLOBALS[ 'SITE_DEBUG' ] is set on.  In production mode, $GLOBALS[ 'SITE_DEBUG' ] = 0, so full paths are never shown.  I don't consider this an exploit as the script users are told the proper setting for production deployment is 0.  Neverthless I have changed the default setting from 1 to 0 in the distribution copy of config.php-dist.


> addWeblog.php Exploit:
> 
> The input box for addweblog.php and leaveComments.php allows ceritan HTML
> tags include the <div> tag.
> 
> The comment reply input boxes not allow ceritan html tags, one being the
> <div> tag A user can add java script to the div tag and commit a XSS.

Even though I am unable to find any example XSS code that works as you described, I will go ahead and remove the <div> tag from the allowed tag list in the config.php-dist file.


Alot of people use this script, thanks for no early/private disclosure whatsoever.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ