Register | Forget Password | Login
Search :
SecurityReason

News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research

WLB

WLB Database

Send to WLB

About WLB

RSS

News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Corporate

Contact

About us

Services

SecurePHP

Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Details : SecurityAlert

  Topic : TextFileBB 1.0.16 Multiple XSS
  SecurityAlert : 828
  CVE : CVE-2006-2143
  SecurityRisk : Low  alert  (About)
  Remote Exploit : Yes
  Local Exploit : No
  Exploit Given : Yes
  Credit : r0xes ratm gmail com
  Published : 03.05.2006

  Affected Software : TextFileBB 1.0.16



  Advisory Text :  

TextFileBB is a flat-file based bulletin board system written in PHP.

There are 3 different XSS vulnerabilities in this software at the moment,
which I found about half an hour ago =D

Anyway, the XSS lies in these tags:

[color]

[size]

[url]

EXPLANATION:

Firstly, we'll explain [color].

[code][.color=#00'">0FFF] """xss [/color][/code]

Would give us:

[code]<font >0fff="" color="#000000"> """xss </font>[/code]

Therefore we can see that we actually are breaking the tag and that our
last part (0FFF) is stripped (funnily enough I found this by typo.)

So, we need to do:

[code][.color=#00F"onMouseOver='alert(/xss/)' x="]h0n0[/color][/code]

As this would give us:

[code]<font onmouseover="alert(/xss/)" x=""
color="#000000">h0n0</font>[/code]

We use the #00F to start the color (so that it IS parsed [attempted to be]
by the parser), and break out of that with our quote - it'll be replaced
with a space. The color will be left as #000000. I added the x="" attribute
because I noticed it wouldn't render in IE for some wierd reason.

NEXT: [size].

This is basically the same as [color], but tad different.

[code][.size=7" OnMouseOver="alert(/xss/)]Clicky Here [/size][/code]

We break out of the size with the first quote, and then use our MouseOver -
we do not close the MouseOver ourselves because the parser will enclose
everything in "".

Turns into: (something like)

[code]<font size="7" onMouseOver="alert(/xss/)">Clicky Here</font>[/code]

LAST: [url].

I don't think the parser cares whether or not you include the http://, but
I added it just as an example.

[code][.url=http://" OnMouseOver="alert(/xss/)]hmm[/url][/code]

Same as with [size], we break out of the href and then do not add a " to
the end because the parser will do it for us.

USAGE:

TextFileBB stores user information in cookies, so you could steal the
administrator's cookies and take over the board.

Credits: me =D

Shouts: digi7al64 - PrOtOn - Lockdown - WhiteAcid

Video @
http://dynxss.whiteacid.org/videos/TextFileBB_1.0.16-final.rar]http://dy
nxss.whiteacid.org/videos/TextFil....0.16-final.rar :: 8mb




  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

Microsoft VISTA TCP/IP stack buffer overflow

high- 2008-11-27

Microsoft Device IO Control wrapped by the iphlpapi.dll API shipping with Windows Vista 32 bit and 64 bit contains a possibly exploitable, buffer overflow corrupting kernel memory.

Apache rss

» Apache Tomcat information
   disclosure

» Apache Tomcat <=
   6.0.18 UTF8 Directory
   Traversal Vulnerability

» Apache Tomcat information
   disclosure vulnerability

» Apache Tomcat XSS
   vulnerability

PHP rss

» PHP 5.2.6 SAPI
   php_getuid() overload

» PHP
   ZipArchive::extractTo()
   Directory Traversal
   Vulnerability

» PHP 5.2.6 dba_replace()
   destroying file

» PHP 5.2.6 (error_log)
   safe_mode bypass

Copyright © SecurityReason. All Rights Reserved.