TBE - the banner engine server-side script execution vulnerability

• Previous message: Benjamin Franz: "Re: Paper announcement: Is finding security holes a good idea?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 22 Jan 2004 13:25:27 +0400
To: bugtraq@securityfocus.com

WHAT
==============================
TBE - the banner engine is a banner exchange system widely used in
Russia and countries of the former USSR.
TBE has all the basic features required for a beginner banner exchange
network and together with its low cost TBE got pretty popular.

Company: Native Solutions
Author: Ivan Stanislavsky
URL - http://www.native.ru

STATUS
==============================
Author notified, no reply yet

WHERE
==============================
html banner view/preview

HOW
==============================
TBE's html banner create feature does not make any checking and passes
the users input directly into a file, named
/bn/tbe-$user_id-$banner_id.html
With some configurations (especially web-hosting companies) where
.html files are interpreted by the web-server as
application/x-httpd-XXX, the code, written into the html banner by an
attacker will be executed every time the banner is previewed or viewd.

VESRIONS AFFECTED
==============================
Tested on TBE5, possibly all other versions that have html banner
implementation

EXAMPLE
==============================
I was a bit lazy this morning, so put something like this:
http://vision.am/~stealth/tbe1.jpg

And got this:
http://vision.am/~stealth/tbe2.jpg
The code is displayed in an iframe, so there is no difficulty to scroll
the window

RISK
==============================
web server privileges (danger varies depending on configuration)

-- 
Cheers,
ed

• Previous message: Benjamin Franz: "Re: Paper announcement: Is finding security holes a good idea?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]