lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <f5cb97050905302021w6d80f255h3070457ae56b340a@mail.gmail.com>
Date: Sat, 30 May 2009 23:21:33 -0400
From: Jabra <jasbro7@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: BASE - 3 Persistent Cross Site Scripting
	Vulnerabilities

BASE, a well known Snort Frontend has 3 Persistent Cross Site Scripting
Vulnerabilities.

For those who don't know, Cross-Site Scripting allows the attacker to inject
Javascript to modify the functionality of the webpages. Since this
vulnerability exists in BASE, this allows an attacker to drop alerts(all of
them or specific alerts), modify user information including passwords,
modify the configuration of BASE and many other tasks. The only limitation
is the attacker's creativity.

The vulnerabilities exist in pages that use the information from 3 different
components of BASE including: alert groups, roles and user information.

For creating a user, the name field was found to be vulnerable. For the name
field, I just injected Javascript and it was rendered!

For creating an alert group, we just need to include a closure for the html
by using "> and add our Javascript afterwards. This causes the page that
loads the name, to close the html and execute our Javascript! This is due to
html encoding being used on the page.

For creating a role, both the name and the description field were
vulnerable. The name field was limited to a specific number of characters.
To verify I just injected XSS and verified it rendered properly. The
description field was just straight Javascript.


Screenshots can be found at:

http://www.spl0it.org/blog/index.php?entry=entry090530-212022

Regards,
Jabra

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ