Code injection Vulnerability in endity.com's shoutBOX

["<-delusion->" <delusi0n () bellsouth net>]

Overview
-----------------------
A shoutbox is a fun tool webmasters put on their site that allows them to
receive feedback from users quickly. By typing in their name, site URL, &
message,  users can post comments, suggestions, praises, flames, etc. onto
the shoutbox and it will be seen by everyone that goes to the site in
seconds.

Impact
-----------------------
Endity.com's shoutBOX script allows users to inject code that becomes
executed everytime the shoutbox is being viewed. Since shoutboxes are
usually placed on the front page, where everyone sees it, this creates a
problem for webmasters. Users can inject code that can pop up windows
displaying different sites, pop up message boxes, put iframes that load
different pages instead of the shout box, display huge messages, and execute
other javascripts. Remote command executions may also be possible. There is
currently one version out, so if you d/led it off their site and are running
it, you are vulnerable!

Exploit
-----------------------
This problem occurs because the $site variable which holds the user's
website URL that their supposed to enter when they post, does not get
stripped of HTML tags. There fore instead of a URL users can put in
malicious html code. Inorder for it to work users must first cancel the <a
href tag that $site is being put into like so...

In the Site URL text box, type in

"></a><your html code goes here><a href="

u must have "></a> in the beginning & <a href=" at the end make sure u keep
the quotes. In between those tags u can enter any html code or java script u
wish, and when u post it will be added to the shoutbox and therefore
executed by every person that sees the shoutbox. Heres a quick example of a
simple annoying trick..

"></a><h1>delusion 0wnz!!</h1><a href="

if u put that as yer URL and post it on a vulnerable shoutbox it will
display in huge letters "delusion 0wnz!!".

There are many ways you can use this, play around with it, and share any
cool things u find out. If you get it to execute linux commands please let
me know.



Solution
-----------------------
The solution is very simple. The problem occurs in board.php around line 74
heres what it looks like..

$name = strip_tags($name,"");

if ($site == "http://";) {
$name_link = "<a href=\"$site\" target=\"new\">$name</a>";
} elseif ($site == "") {
$name_link = "<a href=\"$site\" target=\"new\">$name</a>";
} else {
$name_link = "<a href=\"$site\" target=\"new\">$name</a>";

}
....

$info = strip_tags($info,"");


As you can see $name & $info get stripped of all html tags, but $site does
not. thats why there is this problem. The solution is simple though. Simply
add $site = strip_tags($site,""); before

if ($site == "http://";) {
$name_link = "<a href=\"$site\" target=\"new\">$name</a>";
} elseif ($site == "") {
$name_link = "<a href=\"$site\" target=\"new\">$name</a>";
} else {
$name_link = "<a href=\"$site\" target=\"new\">$name</a>";

}

so it would look like this...

$name = strip_tags($name,"");
$site = strip_tags($site,"");

if ($site == "http://";) {
$name_link = "<a href=\"$site\" target=\"new\">$name</a>";
} elseif ($site == "") {
$name_link = "<a href=\"$site\" target=\"new\">$name</a>";
} else {
$name_link = "<a href=\"$site\" target=\"new\">$name</a>";

}

Now the html tags will not appear in the $site variable, and everything
should be ok... for now >;)

I have contacted endity.com.


-----------------------
Vulnerability brought to you by,
delusion
http://digital-delusions.dyn.ee