Full Disclosure mailing list archives
XSS In mldonkey - But....
From: Chris Sharp <illectro2001 () yahoo com>
Date: Fri, 31 Oct 2003 11:27:45 -0800 (PST)
Mldonkey is an open source p2p client which supports a load of networks, it doesn't have a built in UI, you can telnet into it, or there's a web interface which can be accessed from http://127.0.0.1:4080/ (or whatever port you configure it to run on) They've done a great job at making sure there's no XSS issues, especially with data coming from the network. You can inject scripts into the html error page rather trivially using http://127.0.0.1:4080/<script>...</script> But who cares? There are far more dangrous things you can do if you can make the mldonkey go to URL's for example.... http://localhost:4080/submit?setoption=q&option=allowed_ips&value=255.255.255.255 This will unlock the IP based access control, suddenly everyone in the world can access the search interface. The whole control system is via http, you can search, download, whatever all via http. If you can get the user to go to arbitrary URL's then you can do dangerous things directly without having to resort to XSS, although the XSS does have some uses in terms of automating multiple requests. Being really Evil is left as an exercise for the reader. Now, if there were some method to inject html via responses to a p2p search, then the whole thing would be a little more interesting. Some media files may contain embedded URL's, that may be an interesting way of delivering payloads across a P2P network. So, at the very least the web iterface should include some referrer checking to ensure that commands aren't being generated from untrusted pages. This is a general problem with any application controlled via web interfaces. Chris __________________________________ Do you Yahoo!? Exclusive Video Premiere - Britney Spears http://launch.yahoo.com/promos/britneyspears/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- XSS In mldonkey - But.... Chris Sharp (Oct 31)