-----------------------------
|| WWW.SMASH-THE-STACK.NET ||
-----------------------------

|| ADVISORY: SF-Shoutbox 1.2.1 <= 1.4 HTML/JS Injection Vulnerability

_____________________
|| 0x00: ABOUT ME
|| 0x01: DATELINE
|| 0x02: INFORMATION
|| 0x03: EXPLOITATION
|| 0x04: GOOGLE DORK
|| 0x05: RISK LEVEL
____________________________________________________________
____________________________________________________________

_________________
|| 0x00: ABOUT ME

Author: SkyOut
Date: November 2007
Contact: skyout[-at-]smash-the-stack[-dot-]net
Website: www.smash-the-stack.net

_________________
|| 0x01: DATELINE

2007-11-02: Bug found
2007-11-03: Advisory released

____________________
|| 0x02: INFORMATION

The Shoutbox software provided by Script-Fun.de is vulnerable to HTML
and JavaScript injection. It is possible to execute code or manipulate
the whole page. The fields for "Name" and "Shout" are not sanitized and
therefore both can be manipulated with malicious content.

_____________________
|| 0x03: EXPLOITATION

No exploit is needed to test this vulnerability. You just need a working
web browser.

1: HTML Injection

Go to the main page of the Shoutbox software, normally located at "main.php"
and input HTML code into the Name and/or Shout field. To make the whole shouts
being overlayed by your website you simple put

<meta http-equiv="refresh" content="0; URL=http://example.com/">

into the field(s)!

2: JavaScript Injection

Go to the main page of the Shoutbox software, normally located at "main.php"
and input the needed JavaScript code into the Name and/or Shout field. For
example a simple popup could be constructed by inputting

<script>alert("XSS");</script> ...

If you manipulate both fields the code will be executed twice. The more often
you do this, the more often the code will be executed.

____________________
|| 0x04: GOOGLE DORK

intext:"SF-Shoutbox"

___________________
|| 0x05: RISK LEVEL

I would consider this a low critical vulnerability as this software is not
widely used. Nevertheless in bad cases an attacker could manipulate different
sites to show up his page, which then could try to attack the users browser
with common exploits, similar to IFrame injection.

<!> Happy Hacking <!>

____________________________________________________________
____________________________________________________________

THE END

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/