[34148] in bugtraq
RE: YaBB/YaBBse Cross Site Scripting Vulnerability
daemon@ATHENA.MIT.EDU (Frog Man)
Tue Mar 16 18:50:40 2004
From: "Frog Man" <leseulfrog@hotmail.com>
To: apple_soup@msn.com
Cc: bugtraq@securityfocus.com
Date: Tue, 16 Mar 2004 23:01:58 +0100
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1; format=flowed
Message-ID: <BAY14-F15uJqRclslvr00061197@hotmail.com>
Hello,
this hole was discovered on 29/02/04 and published in french here :
http://www.phpsecure.info/v2/tutos/frog/YaBBSE-XSSPermanent.txt
We were waiting an official security fix by the YabbSE team (since 1 month)
to published the hole on some mailing-lists but they always didn't make
anything.
Another security hole is :
[glow=red,2);background:url(javascript:[SCRIPT],300]text[/glow]
The new YabbSE-Team's project (SMF 1.0b http://www.simplemachines.org )
seems to be bugged too.
To fix these holes, you just have to replaced the lines :
--------------------------------------------------------------------------
'/\[glow=(.+?),(.+?),(.+?)\](.+?)\[\/glow\]/eis',
'/\[shadow=(.+?),(.+?)\](.+?)\[\/shadow\]/eis',
--------------------------------------------------------------------------
by :
-----------------------------------------------------------------------------------
'/\[glow=([[:alpha:]]+?),(.+?),(.+?)\](.+?)\[\/glow\]/eis',
'/\[shadow=([[:alpha:]]+?),(.+?)\](.+?)\[\/shadow\]/eis',
-----------------------------------------------------------------------------------
and the line :
-----------------------------------------------------------------------------------------------------------------------------
"'<table style=\"border 0px;\"><tr><td style=\"filter:Glow(color=\\1,
strength=' . ('\\2' < 255 ? '\\2' : '255') . ');\">' . \"\\4\" .
'</td></tr></table>'",
-----------------------------------------------------------------------------------------------------------------------------
by :
-----------------------------------------------------------------------------------------------------------------------------
"'<table style=\"border 0px;\"><tr><td style=\"filter:Glow(color=\\1,
strength=' . intval( ('\\2' < 255 ? '\\2' : '255') ) . ');\">' . \"\\4\" .
'</td></tr></table>'",
-----------------------------------------------------------------------------------------------------------------------------
in the file Sources/Subs.php.
A fix can be found on http://www.phpsecure.info
Sorry for my poor english,
Germain Randaxhe aka frog-m@n
http://www.phpsecure.info
http://www.security-corporation.com
>From: Cheng Peng Su <apple_soup@msn.com>
>To: bugtraq@securityfocus.com
>Subject: YaBB/YaBBse Cross Site Scripting Vulnerability
>Date: 14 Mar 2004 07:52:07 -0000
>
>
>
>
>#####################################################################
>
> Advisory Name : YaBB/YaBBse Cross Site Scripting Vulnerability
> Release Date : Mar 14,2004
> Application : YaBB/YaBBse
> Test On : YaBB 1 Gold(SP1.3)
> YaBB SE 1.5.1 Final
> Vendor URL : http://www.yabbforum.com/
> http://www.yabbse.org/
> Discover : Cheng Peng Su(apple_soup_at_msn.com)
>
>#####################################################################
>
> Proof of conecpt:
> The problem is in [glow] and [shadow] tag,yabb doesn't filter
> the charactor in this tag,attack needn't visitor to click any
> links,just when the vistor read the thread,XSS code will be
> executed.
>
> Exploit:
> [glow=red);background:url(javascript:alert(document.cookie));filte
> r:glow(color=red,2,300]Big Exploit[/glow]
> [shadow=red);background:url(javascript:alert(document.cookie));fil
> ter:shadow(color=red,left,300]Big Exploit[/shadow]
>
> Contact:
> Cheng Peng Su
> Class 1,Senior 2,High school attached to Wuhan University
> Wuhan,Hubei,China(430072)
> apple_soup_at_msn.com
>
>
>
>
_________________________________________________________________
L'horoscope zodiacale du jour http://www.fr.msn.be/horoscope
