WHAT ============================== TBE - the banner engine is a banner exchange system widely used in Russia and countries of the former USSR. TBE has all the basic features required for a beginner banner exchange network and together with its low cost TBE got pretty popular. Company: Native Solutions Author: Ivan Stanislavsky URL - http://www.native.ru STATUS ============================== Author notified, no reply yet WHERE ============================== html banner view/preview HOW ============================== TBE's html banner create feature does not make any checking and passes the users input directly into a file, named /bn/tbe-$user_id-$banner_id.html With some configurations (especially web-hosting companies) where .html files are interpreted by the web-server as application/x-httpd-XXX, the code, written into the html banner by an attacker will be executed every time the banner is previewed or viewd. VESRIONS AFFECTED ============================== Tested on TBE5, possibly all other versions that have html banner implementation EXAMPLE ============================== I was a bit lazy this morning, so put something like this: http://vision.am/~stealth/tbe1.jpg And got this: http://vision.am/~stealth/tbe2.jpg The code is displayed in an iframe, so there is no difficulty to scroll the window RISK ============================== web server privileges (danger varies depending on configuration) -- Cheers, ed
