[InterN0T] TBDev 01-01-2008 - Multiple Vulnerabilities
- From: security@xxxxxxxxxxxx
- Date: Fri, 12 Jun 2009 13:13:55 -0600
TBDev - Cross Site Scripting and HTML Injection Vulnerabilities
Version Affected: 01-01-2008 (16th January 2008) (newest)
Info: TBDEV.NET is a project to further enhance, update and develop a software (php peer-to-peer) from the original torrentbits/bytemonsoon source code.
-:: The Advisory ::-
Vulnerable Function / ID Calls:
Cross Site Scripting: (Sysops / Mods Only!)
Cross Site Script Redirection: (Sysops / Mods Only!)
Cross Site Script Redirection: (Anyone, the enduser will need to log in though)
-- Info field: </textarea><script>alert(0)</script> << is reflected locally only!
2b) Affected Sites by HTML Injection:
Internet Explorer 6 and perhaps 7 should be triggered by this.
Please see: http://ha.ckers.org/xss.html for more information.
Browser Tested: Internet Explorer 7 (FireFox 3 was tested for the other vulnerabilities)
-:: Solution ::-
Secure redirection calls with referer headers (just an example) and filter bad characters.
This system was fun to find bad code in, it sure had a nice diversity of vulnerabilities.
- Vulnerabilities found, researched and confirmed between 5th to 10th June.
- Advisory finished and published on InterN0T the 12th June.
- Vendor and Buqtraq (SecurityFocus) contacted the 12th June.
All of the best,
- Prev by Date: [InterN0T] SkyBlueCanvas 1.1 r237 - Multiple Vulnerabilities
- Next by Date: [InterN0T] transLucid 1.75 - Multiple Vulnerabilities
- Previous by thread: [InterN0T] SkyBlueCanvas 1.1 r237 - Multiple Vulnerabilities
- Next by thread: [InterN0T] transLucid 1.75 - Multiple Vulnerabilities