hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > The Archives > Exploit Articles
--Elite--
Jan 20 2004, 10:14 PM
Hi all ,
here ia the advisory of new css bug , found for vBulletin , wich
allow attacket to retervive the stored data on server ,such as user info
encrypted passwords and etc...

===
CODE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------
GERMAN COMPUTER FREAKS - SECURITY ADVISORY - SINCE 1997
                 January 20st, 2003
- - -------------------------------------------------------

 Software      : vBulletin Bulletin Board
 Vendor        : Jelsoft Enterprises Limited / inGame GmbH
 Vulnerability : Cross Site Scripting
 Status        : Author has been notified

- - ------------------------------------------------------

- - - - Description

   vBulletin Bulletin Board derivatives contain a security bug
  that may lead to disclosure of private informations due to a
  cross site scripting attack.

   This vulnerability may enable an attacker to transmit sensitive
  informations like 'encrypted' passwords, user identification
  numbers or forum passwords to another server.

   Currently, we will refrain from publishing proof of concept
  information to mitigate the impact of this vulnerability.

- - - - Technical Details

   Due to an improper quoted field in register.php it's possible
  to inject malicious HTML code. With the use of Javascript code
  an attack is then able to send sensitive informations (like
  cookies) to a foreign server.

  Attack Example:

  <form action="http://www.VULN-BOARD.com/register.php" method="GET">
  <input type="hidden" name="reg_site"
   value="<script><!-- EVIL CODE //--></SCRIPT>"/>
  <input type="text" name="email" value="" />
  <input type="submit" value="Show my cookies" />

- - - - Patch

   The vendor released a patch for this vulnerability.

- - - - Closing Words

 07.01.04  Contacting the board developers and explaining the vulnerability
 08.01.04  Developing a proof of concept tool (undisclosed)
 20.01.04  Disclosure of this advisory to public

- - - - Greets

    This bug was found by Darkwell. We would like to great Natok!
    He's great!

                       _________________ ___________
                      /  _____/\_   ___ \\_   _____/
                     /   \  ___/    \  \/ |    __)
                     \    \_\  \     \____|     \
                      \______  /\______  /\___  /
                             \/        \/     \/
                       The German Computer Freaks
                        www.gcf.de    Since 1997             /\
                                                            /  \
____________________________________________________________/ # /
                                                           \  /
                                                            \/

-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.3

wkYEARECAAYFAkANbpsACgkQcd4BvfErJcpzFQCggXQa7WHVZslM1e/3ahG333e8lrMA
oL1vBo7v3oJjMNxhzf3oINBIp8e6
=msHO
-----END PGP SIGNATURE-----




Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
https://www.hushmail.com/services.php?subloc=messenger&l=434

Promote security and make money with the Hushmail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliate&l=427




as u see , they won`t publish code these days ,
but as it`s a css , it must be easy to build ours ,
upon the given sample.
( exclude me pls . i`m not a coder tongue.gif )
pita
Jan 20 2004, 11:48 PM
i dont have any vbb to test this but it seem to be very simple

CODE

http://site/register.php?reg_site=<script>alert('lol')</script>&email=mail@mail.com


and that will execute the javascript script.


boshcash
Jan 21 2004, 01:33 AM
XSS vulns are lame , i didnt ever try to use an XSS vuln , it is a low level vuln ..
SyN/AcK
Jan 21 2004, 08:22 AM
QUOTE (boshcash @ Jan 21 2004, 01:33 AM)
XSS vulns are lame , i didnt ever try to use an XSS vuln , it is a low level vuln ..

I disagree with this. A hacker must always be aware that any crack can lead to a full breach if given enough time.
Yorn
Jan 21 2004, 02:43 PM
boshcash,

If you're so admant that XSS vulnerabilities are lame, give me your email address for Yahoo, Hotmail, or whatever free email service you currently use. I'll show you some cool tricks.
isaiah
Jan 21 2004, 03:13 PM
well i wanna see cool stuff my email is isaiah33@adelphia.net
ghasedak
Jan 21 2004, 05:21 PM
My mail is pesar_koochaka@yahoo.com
please send me your cools wink.gif
--Elite--
Jan 21 2004, 08:22 PM
For those guys who think it`s a lame one ,
i should mention that it`s possible to extract the admin password (encrypted ), by
this lame bug . and again it`s just a simple local attack wich expose the password string wink.gif
l3est_Hacker
Jan 21 2004, 08:23 PM
it's my Email Address ~~~> l3est_Hacker@Yahoo.com
thX!;)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.