Bugtraq mailing list archives
RE: YaBB/YaBBse Cross Site Scripting Vulnerability
From: "Frog Man" <leseulfrog () hotmail com>
Date: Tue, 16 Mar 2004 23:01:58 +0100
Hello, this hole was discovered on 29/02/04 and published in french here : http://www.phpsecure.info/v2/tutos/frog/YaBBSE-XSSPermanent.txtWe were waiting an official security fix by the YabbSE team (since 1 month) to published the hole on some mailing-lists but they always didn't make anything.
Another security hole is : [glow=red,2);background:url(javascript:[SCRIPT],300]text[/glow]The new YabbSE-Team's project (SMF 1.0b http://www.simplemachines.org ) seems to be bugged too.
To fix these holes, you just have to replaced the lines : -------------------------------------------------------------------------- '/\[glow=(.+?),(.+?),(.+?)\](.+?)\[\/glow\]/eis', '/\[shadow=(.+?),(.+?)\](.+?)\[\/shadow\]/eis', -------------------------------------------------------------------------- by : ----------------------------------------------------------------------------------- '/\[glow=([[:alpha:]]+?),(.+?),(.+?)\](.+?)\[\/glow\]/eis', '/\[shadow=([[:alpha:]]+?),(.+?)\](.+?)\[\/shadow\]/eis', ----------------------------------------------------------------------------------- and the line : -----------------------------------------------------------------------------------------------------------------------------"'<table style=\"border 0px;\"><tr><td style=\"filter:Glow(color=\\1, strength=' . ('\\2' < 255 ? '\\2' : '255') . ');\">' . \"\\4\" . '</td></tr></table>'",
----------------------------------------------------------------------------------------------------------------------------- by : -----------------------------------------------------------------------------------------------------------------------------"'<table style=\"border 0px;\"><tr><td style=\"filter:Glow(color=\\1, strength=' . intval( ('\\2' < 255 ? '\\2' : '255') ) . ');\">' . \"\\4\" . '</td></tr></table>'",
----------------------------------------------------------------------------------------------------------------------------- in the file Sources/Subs.php. A fix can be found on http://www.phpsecure.info Sorry for my poor english, Germain Randaxhe aka frog-m@n http://www.phpsecure.info http://www.security-corporation.com
From: Cheng Peng Su <apple_soup () msn com> To: bugtraq () securityfocus com Subject: YaBB/YaBBse Cross Site Scripting Vulnerability Date: 14 Mar 2004 07:52:07 -0000 ##################################################################### Advisory Name : YaBB/YaBBse Cross Site Scripting Vulnerability Release Date : Mar 14,2004 Application : YaBB/YaBBse Test On : YaBB 1 Gold(SP1.3) YaBB SE 1.5.1 Final Vendor URL : http://www.yabbforum.com/ http://www.yabbse.org/ Discover : Cheng Peng Su(apple_soup_at_msn.com) ##################################################################### Proof of conecpt: The problem is in [glow] and [shadow] tag,yabb doesn't filter the charactor in this tag,attack needn't visitor to click any links,just when the vistor read the thread,XSS code will be executed. Exploit: [glow=red);background:url(javascript:alert(document.cookie));filte r:glow(color=red,2,300]Big Exploit[/glow] [shadow=red);background:url(javascript:alert(document.cookie));fil ter:shadow(color=red,left,300]Big Exploit[/shadow] Contact: Cheng Peng Su Class 1,Senior 2,High school attached to Wuhan University Wuhan,Hubei,China(430072) apple_soup_at_msn.com
_________________________________________________________________ L'horoscope zodiacale du jour http://www.fr.msn.be/horoscope
Current thread:
- YaBB/YaBBse Cross Site Scripting Vulnerability Cheng Peng Su (Mar 15)
- <Possible follow-ups>
- RE: YaBB/YaBBse Cross Site Scripting Vulnerability Frog Man (Mar 16)