OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: <-delusion-> (delusi0n_at_bellsouth.net)
Date: Mon Jul 29 2002 - 18:52:30 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Overview
    -----------------------
    A shoutbox is a fun tool webmasters put on their site that allows them to
    receive feedback from users quickly. By typing in their name, site URL, &
    message, users can post comments, suggestions, praises, flames, etc. onto
    the shoutbox and it will be seen by everyone that goes to the site in
    seconds.

    Impact
    -----------------------
    Endity.com's shoutBOX script allows users to inject code that becomes
    executed everytime the shoutbox is being viewed. Since shoutboxes are
    usually placed on the front page, where everyone sees it, this creates a
    problem for webmasters. Users can inject code that can pop up windows
    displaying different sites, pop up message boxes, put iframes that load
    different pages instead of the shout box, display huge messages, and execute
    other javascripts. Remote command executions may also be possible. There is
    currently one version out, so if you d/led it off their site and are running
    it, you are vulnerable!

    Exploit
    -----------------------
    This problem occurs because the $site variable which holds the user's
    website URL that their supposed to enter when they post, does not get
    stripped of HTML tags. There fore instead of a URL users can put in
    malicious html code. Inorder for it to work users must first cancel the <a
    href tag that $site is being put into like so...

    In the Site URL text box, type in

    "></a><your html code goes here><a href="

    u must have "></a> in the beginning & <a href=" at the end make sure u keep
    the quotes. In between those tags u can enter any html code or java script u
    wish, and when u post it will be added to the shoutbox and therefore
    executed by every person that sees the shoutbox. Heres a quick example of a
    simple annoying trick..

    "></a><h1>delusion 0wnz!!</h1><a href="

    if u put that as yer URL and post it on a vulnerable shoutbox it will
    display in huge letters "delusion 0wnz!!".

    There are many ways you can use this, play around with it, and share any
    cool things u find out. If you get it to execute linux commands please let
    me know.

    Solution
    -----------------------
    The solution is very simple. The problem occurs in board.php around line 74
    heres what it looks like..

    $name = strip_tags($name,"");

    if ($site == "http://") {
    $name_link = "<a href=\"$site\" target=\"new\">$name</a>";
    } elseif ($site == "") {
    $name_link = "<a href=\"$site\" target=\"new\">$name</a>";
    } else {
    $name_link = "<a href=\"$site\" target=\"new\">$name</a>";

    }
    ....

    $info = strip_tags($info,"");

    As you can see $name & $info get stripped of all html tags, but $site does
    not. thats why there is this problem. The solution is simple though. Simply
    add $site = strip_tags($site,""); before

    if ($site == "http://") {
    $name_link = "<a href=\"$site\" target=\"new\">$name</a>";
    } elseif ($site == "") {
    $name_link = "<a href=\"$site\" target=\"new\">$name</a>";
    } else {
    $name_link = "<a href=\"$site\" target=\"new\">$name</a>";

    }

    so it would look like this...

    $name = strip_tags($name,"");
    $site = strip_tags($site,"");

    if ($site == "http://") {
    $name_link = "<a href=\"$site\" target=\"new\">$name</a>";
    } elseif ($site == "") {
    $name_link = "<a href=\"$site\" target=\"new\">$name</a>";
    } else {
    $name_link = "<a href=\"$site\" target=\"new\">$name</a>";

    }

    Now the html tags will not appear in the $site variable, and everything
    should be ok... for now >;)

    I have contacted endity.com.

    -----------------------
    Vulnerability brought to you by,
    delusion
    http://digital-delusions.dyn.ee