lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 22 Oct 2007 15:52:54 -0500
From: reepex <reepex@...il.com>
To: SkyOut <skyout@....net>, full-disclosure@...ts.grok.org.uk
Subject: Re: ifnet.it WEBIF XSS Vulnerability

SHUT UP PDP

SEND XSS TO SECURITY BASICS

On 10/22/07, SkyOut <skyout@....net> wrote:
>
> -----------------------------
> || WWW.SMASH-THE-STACK.NET ||
> -----------------------------
>
> || ADVISORY: IFNET.IT WEBIF XSS VULNERABILITY
>
> _____________________
> || 0x00: ABOUT ME
> || 0x01: DATELINE
> || 0x02: INFORMATION
> || 0x03: EXPLOITATION
> || 0x04: GOOGLE DORK
> || 0x05: RISK LEVEL
> ____________________________________________________________
> ____________________________________________________________
>
> _________________
> || 0x00: ABOUT ME
>
> Author: SkyOut
> Date: October 2007
> Contact: skyout[-at-]smash-the-stack[-dot-]net
> Website: www.smash-the-stack.net
>
> _________________
> || 0x01: DATELINE
>
> 2007-10-15: Bug found
> 2007-10-15: Email with notification sent to ifnet.it
> 2007-10-21: Still no reaction from ifnet.it
> 2007-10-22: Advisory released
>
> ____________________
> || 0x02: INFORMATION
>
> In the WEBIF product by the italian company ifnet, an error
> occurs due to the fact of an unfiltered variable (cmd) in the
> webif.exe program. It is possible to execute any JavaScript code
> by manipulating the parameter.
>
> _____________________
> || 0x03: EXPLOITATION
>
> To exploit this bug no exploit is needed, all can be done through
> manipulation of the given URL:
>
> STEP 1:
> Go to the standard page of the WEBIF product, normally existing
> at "/cgi-bin/webif.exe". You will recognize some further parameters,
> being "cmd", "config" and "outconfig".
>
> STEP 2:
> Don't change any parameter instead of the "cmd" one. Change its value
> to any JavaScript code you like. For our demo we will use the default
> one, being "<script>alert('XSS');</script>".
>
> STEP 3:
> Click ENTER and execute the code. A successfull demonstration will
> popup a window.
>
> EXAMPLE:
> http://example.com/webif/cgi-bin/webif.exe?cmd=<script>alert('XSS');</script>&config=[
> * ]&outconfig=[ * ]
>
> [ * ] = Depends on the server. Don't change this!
>
> ____________________
> || 0x04: GOOGLE DORK
>
> inurl:"/cgi-bin/webif/" intitle:"WEBIF"
>
> ___________________
> || 0x05: RISK LEVEL
>
> - LOW - (1/3) -
>
> <!> Happy Hacking <!>
>
> ____________________________________________________________
> ____________________________________________________________
>
> THE END
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ