lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 26 Feb 2009 23:54:03 -0500
From: Stephen Komal <steve625@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: SHOUTcast XSS Vulnerability

----------------------------------------------------------

Description:

There exists a vulnerability in SHOUTcast, which can be exploited via
script insertion attacks.  Input passed to the incoming SHOUTcast web
interface (default is port 8000) is not properly sanitized.
Therefore, the input can contain arbitrary HTML and script code which
will be outputted to the log file without being sanitized.  Upon
viewing the log file in the browser via the administrator panel, the
malicious code will be executed in the administrator's browser.

----------------------------------------------------------

Affected Versions:

The vulnerability is confirmed in version 1.9.8.  Other versions may
also be affected.

----------------------------------------------------------

Method:

Construct a basic HTTP GET request destined to the victim's SHOUTcast
web interface.  Insert the malicious code in the User Agent field of
the packet.

----------------------------------------------------------

Solution:

Filter malicious characters and character sequences before logging the
input to the log file, and also before displaying the contents of the
log file in the browser.

----------------------------------------------------------

Discovered on:

December 15, 2008

----------------------------------------------------------

Discovered by:

Stephen Komal, Ronald Gutierrez, Joseph Puran

----------------------------------------------------------

Special thanks to our elite instructors:

Dan Guido, Mike Zusman, Erik Cabetas, Dean De Beer, Dino Dai Zovi,
Stephen A. Ridley

----------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ