[25191] in bugtraq
Another Faq-O-Matic XSS Vuln?
daemon@ATHENA.MIT.EDU (BrainRawt .)
Sat Apr 20 15:27:38 2002
From: "BrainRawt ." <brainrawt@hotmail.com>
To: bugtraq@securityfocus.com
Date: Fri, 19 Apr 2002 23:03:49 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F990VRnsbMgKggfdoNa00000005@hotmail.com>
Another Faq-O-Matic XSS Vuln?
-----------------------------
I have seen other XSS advisories on bugtraq and securityfocus for
Faq-O-Matic,
but I have not seen an advisory for this particular vulnerability.
Faq-O-Matic XSS (cross site scripting) Vulnerability
Disovered By BrainRawt (http://rawt.daemon.sh)
About Faq-O-Matic:
------------------
The Faq-O-Matic is a CGI-based system that automates the process of
maintaining
a FAQ (or Frequently Asked Questions list). It allows visitors to your FAQ
to
take part in keeping it up-to-date. Faq-O-Matic can be downloaded @
http://sourceforge.net/projects/faqomatic
Vulnerable (tested) Versions:
--------------------
Faq-O-Matic 2.712
Faq-O-Matic 2.711
Vendor Contact:
----------------
4-19-02 - An email was sent to jonhowell at users.sourceforge.net discussing
this issue.
4-19-02 0 An email was received from Jon Howell claiming that this
vulnerability and others have been fixed in the current CVS tree,
which hasnt been released yet.
NOTE: Jon seems like a great guy and as you can see by the date, replied to
my
email VERY quickly. Thanks alot Jon for your quick reply and I hope
to
see that new CVS tree released soon.
Vulnerability:
----------------
Faq-O-Matics fom.cgi improperly filters "file" which can be changed by
visitors
to the site. If the "file" doesnt exist, the script prints it to the html.
A malicious vistor to this website can change "file" from its original call
and insert javascript into the site. This vulnerability can be used for
various
reasons from website redirection to cookie theft.
Exploit (POC):
----------------
http://www.target.net/path_to_Faq-O-Matic/fom?file=<script>alert('If+this+script
+was+modified,+it+could+easily+steal+amigadev.net+cookies+and+log+them+to+a+remote
+location')</script>&step
--------------------------------------------------------------------------
Which Looks Better? BlackHat or White? You Decide! - BrainRawt
_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail.
http://www.hotmail.com
