[33185] in bugtraq
TBE - the banner engine server-side script execution vulnerability
daemon@ATHENA.MIT.EDU (Ed J. Aivazian)
Thu Jan 22 12:07:26 2004
Date: Thu, 22 Jan 2004 13:25:27 +0400
From: "Ed J. Aivazian" <stealth@arminco.com>
Reply-To: "Ed J. Aivazian" <stealth@arminco.com>
Message-ID: <1704098750.20040122132527@arminco.com>
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
WHAT
==============================
TBE - the banner engine is a banner exchange system widely used in
Russia and countries of the former USSR.
TBE has all the basic features required for a beginner banner exchange
network and together with its low cost TBE got pretty popular.
Company: Native Solutions
Author: Ivan Stanislavsky
URL - http://www.native.ru
STATUS
==============================
Author notified, no reply yet
WHERE
==============================
html banner view/preview
HOW
==============================
TBE's html banner create feature does not make any checking and passes
the users input directly into a file, named
/bn/tbe-$user_id-$banner_id.html
With some configurations (especially web-hosting companies) where
.html files are interpreted by the web-server as
application/x-httpd-XXX, the code, written into the html banner by an
attacker will be executed every time the banner is previewed or viewd.
VESRIONS AFFECTED
==============================
Tested on TBE5, possibly all other versions that have html banner
implementation
EXAMPLE
==============================
I was a bit lazy this morning, so put something like this:
http://vision.am/~stealth/tbe1.jpg
And got this:
http://vision.am/~stealth/tbe2.jpg
The code is displayed in an iframe, so there is no difficulty to scroll
the window
RISK
==============================
web server privileges (danger varies depending on configuration)
--
Cheers,
ed
