Bug: W-Agora 4.20 XSS ( Ascii Version )

Search:
WLB2

W-Agora 4.20 XSS

Published
Credit
Risk
2006.05.09
r0xes ratm gmail com
Low
CWE
CVE
Local
Remote
CWE-79
CVE-2006-2228
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

PLEASE NOTE: I am not sure if HTML is an option. I looked through the Administration panel and did not see an option for
it, and the fact that there is no BBcode leads me to believe that this is the method of BBCode/etc.

W-Agora is a fairly 'nice' bulletin board written in PHP. It allows multiple 'boards' (i.e. one with my forums and then
one with yours) and has a nice administration panel.

EXPLANATION:

Also, W-Agora allows users to post HTML - not everything you'd think, as things like script, frame, body, html, etc are
stripped. It also strips out 'on' anything, so you'd think that you cannot execute code -- right?

No. The regex to clean out 'on'anything is like this:

[code]' on([a-zA-Z]*)?=(.*)?'[/code]

If you don't see the problem, let me explain:

The filter expects that the = will come RIGHT after the On*! Therefore, if we put a space between it and the =, we do
not match up against it and it will let it pass!

Example:

[code]<b onMouseOver =eval('alert(/xss/)')>hi</b>[/code]

This renders both in IE & Firefox. =D

USAGE:

Since W-Agora can be configured to either set all userinfo in cookies or completely rely on sessions, this is mixed. If
you find a site that uses cookies, you could use this to steal them.

Shouts: digi7al64 - PrOtOn - Lockdown - WhiteAcid

Video @ http://dynxss.whiteacid.org/videos/w-agora420xss.rar :: 899kb

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version