Re: [Plugins-writers] phpbb_xss.nasl

From: Paul Johnston (paul@private)
Date: Wed Mar 24 2004 - 09:08:12 PST


Hi,

Looks the the http_keepalive_send_recv calls need bodyonly:1 in there. 
The script is causing a false positive because the XSS code appears in 
the headers.

Though this does raise the possibility of header splitting as described 
by the recent Sanctum paper.

Paul



David Kyger wrote:

>script phpbb_xss is firing when I hit no404 web servers. Should this script be dependent upon 
>no404.nasl?
>
>req = http_get(item:dir + "/viewtopic.php?t=10&postdays=99<script>foo</script>", port:port);
>  buf = http_keepalive_send_recv(port:port, data:req);
>  if(buf == NULL)exit(0);
>  req = http_get(item:dir + "/viewforum.php?f=10&postdays=99<script>foo</script>", port:port);
>  buf2 = http_keepalive_send_recv(port:port, data:req);
>  if(buf2 == NULL)exit(0);
>
>  if("<script>foo</script>" >< buf ||
>     "<script>foo</script>" >< buf2 )
>        {
>        security_warning(port);
>        exit(0);
>        }
>
>buf = 
>HTTP/1.1 302 Object moved
>Location: http://>/phpBB/viewtopic.php?t=10&postdays=99<script>foo</script>
>
>buf2 = 
>HTTP/1.1 302 Object moved
>Location: http://>/phpBB/viewtopic.php?t=10&postdays=99<script>foo</script>
>
>-dave
>_______________________________________________
>Plugins-writers mailing list
>Plugins-writers@private
>http://mail.nessus.org/mailman/listinfo/plugins-writers
>
>
>  
>

-- 
Paul Johnston
Internet Security Specialist
Westpoint Limited
Albion Wharf, 19 Albion Street,
Manchester, M1 5LN
England
Tel: +44 (0)161 237 1028
Fax: +44 (0)161 237 1031
email: paul@private
web: www.westpoint.ltd.uk


_______________________________________________
Plugins-writers mailing list
Plugins-writers@private
http://mail.nessus.org/mailman/listinfo/plugins-writers



This archive was generated by hypermail 2b30 : Wed Mar 24 2004 - 09:09:19 PST