Security Advisory: CSS Vulnerability in Web Froums Server 1.6

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Security Advisory: CSS Vulnerability in Web Froums Server 1.6
From: nimber <nimber@xxxxxxx>
Date: Mon, 2 Feb 2004 01:02:18 -0800
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: xata
Reply-to: nimber <nimber@xxxxxxx>

Security Advisory: CSS Vulnerability in Web Froums Server 1.6
Data: 27.01.2004
###################################################
Application:  Web Froums Server 1.6 
Vendor:           www.minihttpserver.net
Versions:        1.6 and  <
Shareware :)
Platforms:       Windows
Bug:                JS/HTML code injection.
Risk:                Low
###################################################
Mini-description [for Forums Web Server v1.6]:
"WebForums Server allows you to setup a bulletin board and 
photo/file exchange web service. It offers a built in HTTP engine, 
internal database engine, integrated HTML/Script pages, user 
management interface, message board engine and a secure file 
Upload/Download option. It is without a doubt the easiest and 
complet all in one Forum Server software you have seen."
[The information from a site www.minihttpserver.net]
####################################################
Vulnerability: 
Some time back I wrote about found CSS vulnerability in Web Forums Server.
(The additional information here http://www.rus-sec.org/advisories/ADV10.txt)
But in the new version they were not corrected. 
In the new version I have found new of vulnerability. 
Which can allow to receive login/password and session ID of any user.
####################################################
Use:
1) At addition of the new message (for example http://121.0.0.1/post1.htm) 
in a field " Subject: " there is no filtration of the entering data. 
There is an opportunity of an insert any JS/HTML code.
2) At loading a new file on server (for example http://121.0.0.1/postfile2.htm) 
there is no filtration of the entering data  in a field " File Description:" 
In result attacking can insert any JS/HTML code, which then will be 
executed at opening page http://121.0.0.1/sharephoto1.asp (or /sharephoto2.asp 
and etc....)
####################################################
Path:
nah nah :-)
####################################################
For contacts:
nimber
icq: 132614
e-mail: nimber@xxxxxxx
            nimber@xxxxxxxxxxx
home page: www.rus-sec.org

p.s> Sorry for my bad english ;)
(0_o(0_o)0_o)
  

-- 
Best regards,
 nimber                          mailto:nimber@xxxxxxx

Prev by Date: RE: CoDeX-W0rm - what happened here?
Next by Date: Re: http://www.smashguard.org
Previous by thread: rxgoogle.cgi XSS Vulnerability.
Next by thread: announce: new mailing list - application security research - from vulnerabilities to code injection.
Index(es):
- Date
- Thread