Re: Geeklog <= v1.6.0sr2 - Remote File Upload

[Jaloh Smith <jal0h () hotmail com>]

> > Successful exploitation requires the ability to execute the uploaded JavaScript.
> > The Geeklog Forum program can be used as an attack vector since it does not
> > properly validate many $_GET / $_POST variables.
> Could you give us some more details about these XSS vulnerabilities ? :)
>
> Cause all I see here is a RCE in the admin panel.
> You confirm that there are XSS but we don't have any details about them...

The
easy one is when the forum allows anonymous posts and is configured for
text posts.  The anonymous user name is never filtered, so you can put
anything there, including a reference to the javascript uploaded as the
user profile image..

<script src="../images/userphotos/username.jpg"></script>

                                          
_________________________________________________________________
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/