Full Disclosure mailing list archives
Re: ifnet.it WEBIF XSS Vulnerability
From: reepex <reepex () gmail com>
Date: Mon, 22 Oct 2007 15:52:54 -0500
SHUT UP PDP SEND XSS TO SECURITY BASICS On 10/22/07, SkyOut <skyout () gmx net> wrote:
----------------------------- || WWW.SMASH-THE-STACK.NET || ----------------------------- || ADVISORY: IFNET.IT WEBIF XSS VULNERABILITY _____________________ || 0x00: ABOUT ME || 0x01: DATELINE || 0x02: INFORMATION || 0x03: EXPLOITATION || 0x04: GOOGLE DORK || 0x05: RISK LEVEL ____________________________________________________________ ____________________________________________________________ _________________ || 0x00: ABOUT ME Author: SkyOut Date: October 2007 Contact: skyout[-at-]smash-the-stack[-dot-]net Website: www.smash-the-stack.net _________________ || 0x01: DATELINE 2007-10-15: Bug found 2007-10-15: Email with notification sent to ifnet.it 2007-10-21: Still no reaction from ifnet.it 2007-10-22: Advisory released ____________________ || 0x02: INFORMATION In the WEBIF product by the italian company ifnet, an error occurs due to the fact of an unfiltered variable (cmd) in the webif.exe program. It is possible to execute any JavaScript code by manipulating the parameter. _____________________ || 0x03: EXPLOITATION To exploit this bug no exploit is needed, all can be done through manipulation of the given URL: STEP 1: Go to the standard page of the WEBIF product, normally existing at "/cgi-bin/webif.exe". You will recognize some further parameters, being "cmd", "config" and "outconfig". STEP 2: Don't change any parameter instead of the "cmd" one. Change its value to any JavaScript code you like. For our demo we will use the default one, being "<script>alert('XSS');</script>". STEP 3: Click ENTER and execute the code. A successfull demonstration will popup a window. EXAMPLE: http://example.com/webif/cgi-bin/webif.exe?cmd=<script>alert('XSS');</script>&config=[ * ]&outconfig=[ * ] [ * ] = Depends on the server. Don't change this! ____________________ || 0x04: GOOGLE DORK inurl:"/cgi-bin/webif/" intitle:"WEBIF" ___________________ || 0x05: RISK LEVEL - LOW - (1/3) - <!> Happy Hacking <!> ____________________________________________________________ ____________________________________________________________ THE END _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- ifnet.it WEBIF XSS Vulnerability SkyOut (Oct 22)
- Re: ifnet.it WEBIF XSS Vulnerability reepex (Oct 22)