[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [waraxe-2004-SA#024 - XSS and full path disclosure in Network
From: Janek Vind <come2waraxe () yahoo ! com>
Date: 2004-04-23 23:47:31
Message-ID: 20040424012002.1730.qmail () www ! securityfocus ! com
[Download RAW message or body]
{================================================================================}
{ [waraxe-2004-SA#024] }
{================================================================================}
{ }
{ [ XSS and full path disclosure in Network Query Tool 1.6 ] }
{ }
{================================================================================}
\
Author: Janek Vind "waraxe"
Date: 23. April 2004
Location: Estonia, Tartu
Web: http://www.waraxe.us/index.php?modname=sa&id=24
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This script takes a given hostname or IP address and attempts to
look up all sorts of information about that address. Basically
it does what network-tools.com does, without all the ads and ASP :)
COPYRIGHT shaun@shat.net
Homepage: http://www.shat.net/php/nqt/
Vulnerabilities:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A. Full path disclosure:
A1 - unchecked user submitted variable "portNum"
If we make http request like this:
http://localhost/nqt.php?target=foobar.com&queryType=all&portNum=foobar
... then we will see standard php error messages, revealing full path to script:
Warning: fsockopen() expects parameter 2 to be long, string given in \
D:\apache_wwwroot\nqt.php on line 305 Port foobar does not appear to be open.
Reason is, that script does not check validity of the portNum, which must be integer \
in range of 1..65535.
B. Cross-site scripting aka XSS
B1 - XSS through unsanitaized user submitted variable "portNum"
http://localhost/nqt.php?target=foobar.com&queryType=all&portNum=foobar[xss code \
here]
Greetings:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Greets to torufoorum members and to all bugtraq readers in Estonia! Tervitused!
Special greets to http://www.gamecheaters.us staff!
Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
come2waraxe@yahoo.com
Janek Vind "waraxe"
Homepage: http://www.waraxe.us/
---------------------------------- [ EOF ] ------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic