Bugtraq mailing list archives
Re: Destiney Rated Images Script v0.5.0 - XSS Vulnv
From: webmaster () destiney com
Date: 23 May 2006 02:50:36 -0000
Effected Files:
You mean affected? `Effected` is not a word.
addWeblog.php
I pasted the following example XSS code into both form fields, and saw no evidence of XSS vulnerabilities: <DIV STYLE="background-image: url(javascript:alert('XSS'))"> <DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> <DIV STYLE="background-image: url(javascript:alert('XSS'))"> <DIV STYLE="width: expression(alert('XSS'));"> Did you have an example of a <div> tag that works?
leaveCommentReply.php
Since the same form input cleansing code is in place for all forms and incoming GPC data site-wide, I did not test this form page.
stats.php ------ stats.php Exploit: SQL Injection of stats.php leads to full path disclosures. Example: http://www.example.com/stats.php?s=SELECT SUM( rating )FROM ds_image_ratings WHERE created ='x' Notice: Undefined variable: scriptName in /home/destiney/domains/ratedsite.com/public_html/stats.php on line 624 Notice: Undefined variable: alt in /home/destiney/domains/ratedsite.com/public_html/stats.php(640) : > eval()'d code on line 4 Notice: Undefined variable: desc in /home/destiney/domains/ratedsite.com/public_html/stats.php(640) : eval()'d code on line 8
Full path disclosure only occurs when the error reporting level $GLOBALS[ 'SITE_DEBUG' ] is set on. In production mode, $GLOBALS[ 'SITE_DEBUG' ] = 0, so full paths are never shown. I don't consider this an exploit as the script users are told the proper setting for production deployment is 0. Neverthless I have changed the default setting from 1 to 0 in the distribution copy of config.php-dist.
addWeblog.php Exploit: The input box for addweblog.php and leaveComments.php allows ceritan HTML tags include the <div> tag. The comment reply input boxes not allow ceritan html tags, one being the <div> tag A user can add java script to the div tag and commit a XSS.
Even though I am unable to find any example XSS code that works as you described, I will go ahead and remove the <div> tag from the allowed tag list in the config.php-dist file. Alot of people use this script, thanks for no early/private disclosure whatsoever.
Current thread:
- Destiney Rated Images Script v0.5.0 - XSS Vulnv luny (May 22)
- <Possible follow-ups>
- Re: Destiney Rated Images Script v0.5.0 - XSS Vulnv webmaster (May 24)
- Re: Destiney Rated Images Script v0.5.0 - XSS Vulnv Steven M. Christey (May 26)