Overview ----------------------- A shoutbox is a fun tool webmasters put on their site that allows them to receive feedback from users quickly. By typing in their name, site URL, & message, users can post comments, suggestions, praises, flames, etc. onto the shoutbox and it will be seen by everyone that goes to the site in seconds. Impact ----------------------- Endity.com's shoutBOX script allows users to inject code that becomes executed everytime the shoutbox is being viewed. Since shoutboxes are usually placed on the front page, where everyone sees it, this creates a problem for webmasters. Users can inject code that can pop up windows displaying different sites, pop up message boxes, put iframes that load different pages instead of the shout box, display huge messages, and execute other javascripts. Remote command executions may also be possible. There is currently one version out, so if you d/led it off their site and are running it, you are vulnerable! Exploit ----------------------- This problem occurs because the $site variable which holds the user's website URL that their supposed to enter when they post, does not get stripped of HTML tags. There fore instead of a URL users can put in malicious html code. Inorder for it to work users must first cancel the <a href tag that $site is being put into like so... In the Site URL text box, type in "></a><your html code goes here><a href=" u must have "></a> in the beginning & <a href=" at the end make sure u keep the quotes. In between those tags u can enter any html code or java script u wish, and when u post it will be added to the shoutbox and therefore executed by every person that sees the shoutbox. Heres a quick example of a simple annoying trick.. "></a><h1>delusion 0wnz!!</h1><a href=" if u put that as yer URL and post it on a vulnerable shoutbox it will display in huge letters "delusion 0wnz!!". There are many ways you can use this, play around with it, and share any cool things u find out. If you get it to execute linux commands please let me know. Solution ----------------------- The solution is very simple. The problem occurs in board.php around line 74 heres what it looks like.. $name = strip_tags($name,""); if ($site == "http://";) { $name_link = "<a href=\"$site\" target=\"new\">$name</a>"; } elseif ($site == "") { $name_link = "<a href=\"$site\" target=\"new\">$name</a>"; } else { $name_link = "<a href=\"$site\" target=\"new\">$name</a>"; } .... $info = strip_tags($info,""); As you can see $name & $info get stripped of all html tags, but $site does not. thats why there is this problem. The solution is simple though. Simply add $site = strip_tags($site,""); before if ($site == "http://";) { $name_link = "<a href=\"$site\" target=\"new\">$name</a>"; } elseif ($site == "") { $name_link = "<a href=\"$site\" target=\"new\">$name</a>"; } else { $name_link = "<a href=\"$site\" target=\"new\">$name</a>"; } so it would look like this... $name = strip_tags($name,""); $site = strip_tags($site,""); if ($site == "http://";) { $name_link = "<a href=\"$site\" target=\"new\">$name</a>"; } elseif ($site == "") { $name_link = "<a href=\"$site\" target=\"new\">$name</a>"; } else { $name_link = "<a href=\"$site\" target=\"new\">$name</a>"; } Now the html tags will not appear in the $site variable, and everything should be ok... for now >;) I have contacted endity.com. ----------------------- Vulnerability brought to you by, delusion http://digital-delusions.dyn.ee
