lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <SNT122-W14F2933D7DEDFFDC6790CAA6250@phx.gbl>
Date: Wed, 24 Mar 2010 02:52:15 -0700
From: lis cker <liscker@...mail.com>
To: <bugtraq@...urityfocus.com>
Subject: "$referer" export lead to the cross-site flaws in all versions of
 Discuz!



hi;
 
All versions of Discuz! have the cross-site vulnerabilities because of the export value of "$referer". 
 
Like: 
Discuz! 7.X
Discuz! 6.X
Discuz! 5.X
Discuz!NT 3.X
and so on.
 
 
There are some htm pages in all versions of Discuz!, that are:
/templates/default/attachpay.htm
/templates/default/ec_rate.htm
/templates/default/register.htm
 
 
These pages have code to export the value of "$referer": <input type="hidden" name="referer" value="$referer" />
 
When the "$referer" include malicious code, these htm pages and the nested php pages will be XSS.
 
 
 
With "register.htm" as an example:
 
 
A user open a URL, and click the "Register" button on the page, this URL will been assigned to "$referer",then, "register.htm" export the value of "$referer", at this time, vistors' browser open "register.php" that include this value of "$referer".
 
So, either the URL is dynamic pages or static pages, either the url has xss or not. As long as the URL contains the xss code, the xss will be true.
 
 
 

Attacker just need to find the URL which can contains malicious code, then build the special URL.
with Discuz! 7.0 as an example, the "viewthread.php" can contains malicious code, like : http://www.example.com/viewthread.php?tid=<script>alert(/liscker/);</script> . 
When users visit it , and then , click Register button, XSS has been true, malicious code ware been run.
 
 
 
 
principle of attachpay.htm and ec_rate.htm are same to register.htm.
 

It is not only in discuz!, all the web apps who save referer and export referer maybe have the vulnerabilities.
 
 
 
Liscker
2010.03.24 		 	   		  

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ