sfshoutbox-inject.txt
Posted on 05 November 2007
----------------------------- || WWW.SMASH-THE-STACK.NET || ----------------------------- || ADVISORY: SF-Shoutbox 1.2.1 <= 1.4 HTML/JS Injection Vulnerability _____________________ || 0x00: ABOUT ME || 0x01: DATELINE || 0x02: INFORMATION || 0x03: EXPLOITATION || 0x04: GOOGLE DORK || 0x05: RISK LEVEL ____________________________________________________________ ____________________________________________________________ _________________ || 0x00: ABOUT ME Author: SkyOut Date: November 2007 Contact: skyout[-at-]smash-the-stack[-dot-]net Website: www.smash-the-stack.net _________________ || 0x01: DATELINE 2007-11-02: Bug found 2007-11-03: Advisory released ____________________ || 0x02: INFORMATION The Shoutbox software provided by Script-Fun.de is vulnerable to HTML and JavaScript injection. It is possible to execute code or manipulate the whole page. The fields for "Name" and "Shout" are not sanitized and therefore both can be manipulated with malicious content. _____________________ || 0x03: EXPLOITATION No exploit is needed to test this vulnerability. You just need a working web browser. 1: HTML Injection Go to the main page of the Shoutbox software, normally located at "main.php" and input HTML code into the Name and/or Shout field. To make the whole shouts being overlayed by your website you simple put <meta http-equiv="refresh" content="0; URL=http://example.com/"> into the field(s)! 2: JavaScript Injection Go to the main page of the Shoutbox software, normally located at "main.php" and input the needed JavaScript code into the Name and/or Shout field. For example a simple popup could be constructed by inputting <script>alert("XSS");</script> ... If you manipulate both fields the code will be executed twice. The more often you do this, the more often the code will be executed. ____________________ || 0x04: GOOGLE DORK intext:"SF-Shoutbox" ___________________ || 0x05: RISK LEVEL I would consider this a low critical vulnerability as this software is not widely used. Nevertheless in bad cases an attacker could manipulate different sites to show up his page, which then could try to attack the users browser with common exploits, similar to IFrame injection. <!> Happy Hacking <!> ____________________________________________________________ ____________________________________________________________ THE END _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/