Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18362
HistoryNov 07, 2007 - 12:00 a.m.

[Full-disclosure] SF-Shoutbox 1.2.1 <= 1.4 HTML/JS Injection Vulnerability

2007-11-0700:00:00
vulners.com
142

|| WWW.SMASH-THE-STACK.NET ||

|| ADVISORY: SF-Shoutbox 1.2.1 <= 1.4 HTML/JS Injection Vulnerability


|| 0x00: ABOUT ME
|| 0x01: DATELINE
|| 0x02: INFORMATION
|| 0x03: EXPLOITATION
|| 0x04: GOOGLE DORK
|| 0x05: RISK LEVEL




|| 0x00: ABOUT ME

Author: SkyOut
Date: November 2007
Contact: skyout[-at-]smash-the-stack[-dot-]net
Website: www.smash-the-stack.net


|| 0x01: DATELINE

2007-11-02: Bug found
2007-11-03: Advisory released


|| 0x02: INFORMATION

The Shoutbox software provided by Script-Fun.de is vulnerable to HTML
and JavaScript injection. It is possible to execute code or manipulate
the whole page. The fields for "Name" and "Shout" are not sanitized and
therefore both can be manipulated with malicious content.


|| 0x03: EXPLOITATION

No exploit is needed to test this vulnerability. You just need a working
web browser.

1: HTML Injection

Go to the main page of the Shoutbox software, normally located at "main.php"
and input HTML code into the Name and/or Shout field. To make the whole shouts
being overlayed by your website you simple put

<meta http-equiv="refresh" content="0; URL=http://example.com/&quot;&gt;

into the field(s)!

2: JavaScript Injection

Go to the main page of the Shoutbox software, normally located at "main.php"
and input the needed JavaScript code into the Name and/or Shout field. For
example a simple popup could be constructed by inputting

<script>alert("XSS");</script> …

If you manipulate both fields the code will be executed twice. The more often
you do this, the more often the code will be executed.


|| 0x04: GOOGLE DORK

intext:"SF-Shoutbox"


|| 0x05: RISK LEVEL

I would consider this a low critical vulnerability as this software is not
widely used. Nevertheless in bad cases an attacker could manipulate different
sites to show up his page, which then could try to attack the users browser
with common exploits, similar to IFrame injection.

<!> Happy Hacking <!>



THE END


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/