[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <e9d9d4020710221352i214bc7d7g3e23fe91bd9bd183@mail.gmail.com>
Date: Mon, 22 Oct 2007 15:52:54 -0500
From: reepex <reepex@...il.com>
To: SkyOut <skyout@....net>, full-disclosure@...ts.grok.org.uk
Subject: Re: ifnet.it WEBIF XSS Vulnerability
SHUT UP PDP
SEND XSS TO SECURITY BASICS
On 10/22/07, SkyOut <skyout@....net> wrote:
>
> -----------------------------
> || WWW.SMASH-THE-STACK.NET ||
> -----------------------------
>
> || ADVISORY: IFNET.IT WEBIF XSS VULNERABILITY
>
> _____________________
> || 0x00: ABOUT ME
> || 0x01: DATELINE
> || 0x02: INFORMATION
> || 0x03: EXPLOITATION
> || 0x04: GOOGLE DORK
> || 0x05: RISK LEVEL
> ____________________________________________________________
> ____________________________________________________________
>
> _________________
> || 0x00: ABOUT ME
>
> Author: SkyOut
> Date: October 2007
> Contact: skyout[-at-]smash-the-stack[-dot-]net
> Website: www.smash-the-stack.net
>
> _________________
> || 0x01: DATELINE
>
> 2007-10-15: Bug found
> 2007-10-15: Email with notification sent to ifnet.it
> 2007-10-21: Still no reaction from ifnet.it
> 2007-10-22: Advisory released
>
> ____________________
> || 0x02: INFORMATION
>
> In the WEBIF product by the italian company ifnet, an error
> occurs due to the fact of an unfiltered variable (cmd) in the
> webif.exe program. It is possible to execute any JavaScript code
> by manipulating the parameter.
>
> _____________________
> || 0x03: EXPLOITATION
>
> To exploit this bug no exploit is needed, all can be done through
> manipulation of the given URL:
>
> STEP 1:
> Go to the standard page of the WEBIF product, normally existing
> at "/cgi-bin/webif.exe". You will recognize some further parameters,
> being "cmd", "config" and "outconfig".
>
> STEP 2:
> Don't change any parameter instead of the "cmd" one. Change its value
> to any JavaScript code you like. For our demo we will use the default
> one, being "<script>alert('XSS');</script>".
>
> STEP 3:
> Click ENTER and execute the code. A successfull demonstration will
> popup a window.
>
> EXAMPLE:
> http://example.com/webif/cgi-bin/webif.exe?cmd=<script>alert('XSS');</script>&config=[
> * ]&outconfig=[ * ]
>
> [ * ] = Depends on the server. Don't change this!
>
> ____________________
> || 0x04: GOOGLE DORK
>
> inurl:"/cgi-bin/webif/" intitle:"WEBIF"
>
> ___________________
> || 0x05: RISK LEVEL
>
> - LOW - (1/3) -
>
> <!> Happy Hacking <!>
>
> ____________________________________________________________
> ____________________________________________________________
>
> THE END
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists