Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Code injection Vulnerability in endity.com's shoutBOX

Code injection Vulnerability in endity.com's shoutBOX

by Nikola Strahija on July 30th, 2002 A shoutbox is a fun tool webmasters put on their site that allows them to receive feedback from users quickly. By typing in their name, site URL & message, users can post comments, suggestions, praises, flames, etc. onto the shoutbox and it will be seen by everyone that goes to the site in seconds.


Impact
-----------------------
Endity.com's shoutBOX script allows users to inject code that becomes executed everytime the shoutbox is being viewed. Since shoutboxes are
usually placed on the front page, where everyone sees it, this creates a problem for webmasters. Users can inject code that can pop up windows
displaying different sites, pop up message boxes, put iframes that load different pages instead of the shout box, display huge messages, and execute other javascripts. Remote command executions may also be possible. There is currently one version out, so if you d/led it off their site and are running it, you are vulnerable!


Exploit
-----------------------
This problem occurs because the $site variable which holds the user's website URL that their supposed to enter when they post, does not get
stripped of HTML tags. There fore instead of a URL users can put in malicious html code. Inorder for it to work users must first cancel the href tag that $site is being put into like so...

In the Site URL text box, type in

"></a><a href="

u must have "></a> in the beginning & %lt;a href=" at the end make sure u keep
the quotes. In between those tags u can enter any html code or java script u
wish, and when u post it will be added to the shoutbox and therefore
executed by every person that sees the shoutbox. Heres a quick example of a
simple annoying trick..

"></a>delusion 0wnz!!<a href="

if u put that as yer URL and post it on a vulnerable shoutbox it will display in huge letters "delusion 0wnz!!".

There are many ways you can use this, play around with it, and share any cool things u find out. If you get it to execute linux commands please let me know.


Solution
-----------------------
The solution is very simple. The problem occurs in board.php around line 74
heres what it looks like..

$name = strip_tags($name,"");

if ($site == "http://") {
$name_link = "a href="$site" target="new">$name</a>";
} elseif ($site == "") {
$name_link = "<a href="$site" target="new">$name</a>";
} else {
$name_link = "<a href="$site" target="new">$name</a>";

}
....

$info = strip_tags($info,"");


As you can see $name & $info get stripped of all html tags, but $site does not. thats why there is this problem. The solution is simple though. Simply add $site = strip_tags($site,""); before

if ($site == "http://") {
$name_link = "<a href="$site" target="new">$name</a>";
} elseif ($site == "") {
$name_link = "<a href="$site" target="new">$name</a>";
} else {
$name_link = "<a href="$site" target="new">$name</a>";

}

so it would look like this...

$name = strip_tags($name,"");
$site = strip_tags($site,"");

if ($site == "http://") {
$name_link = "<a href="$site" target="new">$name";
} elseif ($site == "") {
$name_link = "<a href="$site" target="new">$name";
} else {
$name_link = "<a href="$site" target="new">$name";

}

Now the html tags will not appear in the $site variable, and everything should be ok... for now >;)


-----------------------
Vulnerability brought to you by, delusion
http://digital-delusions.dyn.ee


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »