[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [waraxe-2004-SA#024 - XSS and full path disclosure in Network
From:       Janek Vind <come2waraxe () yahoo ! com>
Date:       2004-04-23 23:47:31
Message-ID: 20040424012002.1730.qmail () www ! securityfocus ! com
[Download RAW message or body]





{================================================================================}
{                              [waraxe-2004-SA#024]                              }
{================================================================================}
{                                                                                }
{         [ XSS and full path disclosure in Network Query Tool 1.6 ]             }
{                                                                                }
{================================================================================}
                                                                                      \
                
Author: Janek Vind "waraxe"
Date: 23. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=24


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This script takes a given hostname or IP address and attempts to
look up all sorts of information about that address. Basically
it does what network-tools.com does, without all the ads and ASP :)
COPYRIGHT shaun@shat.net 

Homepage: http://www.shat.net/php/nqt/


Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

A. Full path disclosure:

A1 - unchecked user submitted variable "portNum"

If we make http request like this:

http://localhost/nqt.php?target=foobar.com&queryType=all&portNum=foobar

... then we will see standard php error messages, revealing full path to script:

Warning: fsockopen() expects parameter 2 to be long, string given in \
D:\apache_wwwroot\nqt.php on line 305 Port foobar does not appear to be open.

Reason is, that script does not check validity of the portNum, which must be integer \
in range of 1..65535.

B. Cross-site scripting aka XSS

B1 - XSS through unsanitaized user submitted variable "portNum"

http://localhost/nqt.php?target=foobar.com&queryType=all&portNum=foobar[xss code \
here]



Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to http://www.gamecheaters.us staff!


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    come2waraxe@yahoo.com
    Janek Vind "waraxe"

    Homepage: http://www.waraxe.us/

---------------------------------- [ EOF ] ------------------------------------


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic