lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: illectro2001 at (Chris Sharp)
Subject: XSS In mldonkey - But....

Mldonkey is an open source p2p client which supports a
load of networks, it doesn't have a built in UI, you
can telnet into it, or there's a web interface which
can be accessed from (or
whatever port you configure it to run on)

They've done a great job at making sure there's no XSS
issues, especially with data coming from the network.
You can inject scripts into the html error page rather
trivially using<script>...</script>

But who cares? There are far more dangrous things you
can do if you can make the mldonkey go to URL's for
This will unlock the IP based access control, suddenly
everyone in the world can access the search interface.

The whole control system is via http, you can search,
download, whatever all via http. If you can get the
user to go to arbitrary URL's then you can do
dangerous things directly without having to resort to
XSS, although the XSS does have some uses in terms of
automating multiple requests. 

Being really Evil is left as an exercise for the

Now, if there were some method to inject html via
responses to a p2p search, then the whole thing would
be a little more interesting. Some media files may
contain embedded URL's, that may be an interesting way
of delivering payloads across a P2P network. 

So, at the very least the web iterface should include
some referrer checking to ensure that commands aren't
being generated from untrusted pages. This is a
general problem with any application controlled via
web interfaces.


Do you Yahoo!?
Exclusive Video Premiere - Britney Spears

Powered by blists - more mailing lists