Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: b06-1935.htm

TextFileBB 1.0.16 Multiple XSS



TextFileBB 1.0.16 Multiple XSS
TextFileBB 1.0.16 Multiple XSS



TextFileBB is a flat-file based bulletin board system written in PHP.=0D
=0D
There are 3 different XSS vulnerabilities in this software at the moment, which I found about half an hour ago =D=0D
=0D
Anyway, the XSS lies in these tags:=0D
[color]=0D
[size]=0D
[url]=0D
=0D
=0D
EXPLANATION:=0D
=0D
Firstly, we'll explain [color].=0D
=0D
[code][.color=#00'">0FFF] """xss [/color][/code]=0D
=0D
Would give us:=0D
[code]0fff="" color="#000000"> """xss [/code]=0D
=0D
Therefore we can see that we actually are breaking the tag and that our last part (0FFF) is stripped (funnily enough I found this by typo.)=0D
=0D
So, we need to do:=0D
=0D
[code][.color=#00F"onMouseOver='alert(/xss/)' x="]h0n0[/color][/code]=0D
=0D
As this would give us:=0D
[code]h0n0[/code]=0D
=0D
We use the #00F to start the color (so that it IS parsed [attempted to be] by the parser), and break out of that with our quote - it'll be replaced with a space. The color will be left as #000000. I added the x="" attribute because I noticed it wouldn't render in IE for some wierd reason.=0D
=0D
NEXT: [size].=0D
=0D
This is basically the same as [color], but tad different.=0D
=0D
[code][.size=7" OnMouseOver="alert(/xss/)]Clicky Here [/size][/code]=0D
We break out of the size with the first quote, and then use our MouseOver - we do not close the MouseOver ourselves because the parser will enclose everything in "".=0D
Turns into: (something like)=0D
=0D
[code]Clicky Here[/code]=0D
=0D
LAST: [url].=0D
=0D
I don't think the parser cares whether or not you include the http://, but I added it just as an example.=0D 
=0D
[code][.url=http://" OnMouseOver="alert(/xss/)]hmm[/url][/code]=0D 
Same as with [size], we break out of the href and then do not add a " to the end because the parser will do it for us.=0D
=0D
=0D
=0D
USAGE:=0D
TextFileBB stores user information in cookies, so you could steal the administrator's cookies and take over the board.=0D
=0D
=0D
Credits: me =D=0D
=0D
Shouts: digi7al64 - PrOtOn - Lockdown - WhiteAcid=0D
=0D
Video @ http://dynxss.whiteacid.org/videos/TextFileBB_1.0.16-final.rar]http://dynxss.whiteacid.org/videos/TextFil....0.16-final.rar :: 8mb 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH