Re: Destiney Rated Images Script v0.5.0 - XSS Vulnv

Wed, 24 May 2006 09:27:59 -0700 

> Effected Files:


You mean affected?  `Effected` is not a word.



> addWeblog.php


I pasted the following example XSS code into both form fields, and saw no 
evidence of XSS vulnerabilities:


<DIV STYLE="background-image: url(javascript:alert('XSS'))">


<DIV 
STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">


<DIV STYLE="background-image: url(&#1;javascript:alert('XSS'))">


<DIV STYLE="width: expression(alert('XSS'));">



Did you have an example of a <div> tag that works?



> leaveCommentReply.php


Since the same form input cleansing code is in place for all forms and incoming 
GPC data site-wide, I did not test this form page.



> stats.php

> 

> ------

> 

> stats.php Exploit:

> 

> SQL Injection of stats.php leads to full path disclosures.

> 

> Example:

> 

> http://www.example.com/stats.php?s=SELECT SUM( rating )FROM ds_image_ratings

> WHERE created ='x'

> 

> Notice: Undefined variable: scriptName in

> /home/destiney/domains/ratedsite.com/public_html/stats.php on line 624

> 

> Notice: Undefined variable: alt in

> /home/destiney/domains/ratedsite.com/public_html/stats.php(640) : > eval()'d 
> code on line 4

> 

> Notice: Undefined variable: desc in

> /home/destiney/domains/ratedsite.com/public_html/stats.php(640) : eval()'d 
> code on line 8


Full path disclosure only occurs when the error reporting level $GLOBALS[ 
'SITE_DEBUG' ] is set on.  In production mode, $GLOBALS[ 'SITE_DEBUG' ] = 0, so 
full paths are never shown.  I don't consider this an exploit as the script 
users are told the proper setting for production deployment is 0.  Neverthless 
I have changed the default setting from 1 to 0 in the distribution copy of 
config.php-dist.



> addWeblog.php Exploit:

> 

> The input box for addweblog.php and leaveComments.php allows ceritan HTML

> tags include the <div> tag.

> 

> The comment reply input boxes not allow ceritan html tags, one being the

> <div> tag A user can add java script to the div tag and commit a XSS.


Even though I am unable to find any example XSS code that works as you 
described, I will go ahead and remove the <div> tag from the allowed tag list 
in the config.php-dist file.



Alot of people use this script, thanks for no early/private disclosure 
whatsoever.

Reply via email to