lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 3 May 2009 19:21:51 -0400
From: Micheal Cottingham <techie.micheal@...il.com>
To: Andrew Farmer <andfarm@...il.com>
Cc: Jacques Copeau <jacquescopeau@...glemail.com>,
	full-disclosure@...ts.grok.org.uk
Subject: Re: 
	“Cross-Site Scripting” vulnerability in MyBB 1.4.5

That's the problem with XSS, it isn't just one. I've seen XSS that in
turn injects PHP code in to an admin panel that in turn led to RCE.
I've also seen XSS that led to session hijacking that in turn led to
XSS which ultimately led to mass client exploitation.

The bad guys have been using these multi-staged attacks for quite some
time. http://www.coresecurity.com/content/understanding-multistaged-threats
agrees with me.

XSS is particularly nasty because it runs in the client. It is no
longer just cookie stealing, but mass client exploitation, RCE, SQL
injection, CSRF, and so on. It is even used to pivot in to the
internal network, as is the case with MS09-002 (I think that's the
one, someone please correct me if I'm wrong). Entire frameworks have
been built around just XSS. For example BeEF and Jikto.

This is why Jacques Copeau said that the XSS could lead to CSRF and then RCE.

On Sun, May 3, 2009 at 5:19 PM, Andrew Farmer <andfarm@...il.com> wrote:
> On 03 May 09, at 05:01, Jacques Copeau wrote:
>> Advisory : “Cross-Site Scripting” vulnerability in MyBB
> <snip>
>> The XSS renders in all browsers and on various pages inside the myBB
>> software.
>> We consider it to be particularly grave, as it renders on the ACP
>> user overview
>> page; this can be easily exploited to construct a universal CSRF
>> vulnerability
>> that introduces malicious php code into the script.
>
> So, er, is this vulnerability XSS, CSRF, or RCE? Pick one and stick
> with it.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ