[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] ifnet.it WEBIF XSS Vulnerability
From:       reepex <reepex () gmail ! com>
Date:       2007-10-22 20:52:54
Message-ID: e9d9d4020710221352i214bc7d7g3e23fe91bd9bd183 () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


SHUT UP PDP

SEND XSS TO SECURITY BASICS

On 10/22/07, SkyOut <skyout@gmx.net> wrote:
>
> -----------------------------
> || WWW.SMASH-THE-STACK.NET ||
> -----------------------------
>
> || ADVISORY: IFNET.IT WEBIF XSS VULNERABILITY
>
> _____________________
> || 0x00: ABOUT ME
> || 0x01: DATELINE
> || 0x02: INFORMATION
> || 0x03: EXPLOITATION
> || 0x04: GOOGLE DORK
> || 0x05: RISK LEVEL
> ____________________________________________________________
> ____________________________________________________________
>
> _________________
> || 0x00: ABOUT ME
>
> Author: SkyOut
> Date: October 2007
> Contact: skyout[-at-]smash-the-stack[-dot-]net
> Website: www.smash-the-stack.net
>
> _________________
> || 0x01: DATELINE
>
> 2007-10-15: Bug found
> 2007-10-15: Email with notification sent to ifnet.it
> 2007-10-21: Still no reaction from ifnet.it
> 2007-10-22: Advisory released
>
> ____________________
> || 0x02: INFORMATION
>
> In the WEBIF product by the italian company ifnet, an error
> occurs due to the fact of an unfiltered variable (cmd) in the
> webif.exe program. It is possible to execute any JavaScript code
> by manipulating the parameter.
>
> _____________________
> || 0x03: EXPLOITATION
>
> To exploit this bug no exploit is needed, all can be done through
> manipulation of the given URL:
>
> STEP 1:
> Go to the standard page of the WEBIF product, normally existing
> at "/cgi-bin/webif.exe". You will recognize some further parameters,
> being "cmd", "config" and "outconfig".
>
> STEP 2:
> Don't change any parameter instead of the "cmd" one. Change its value
> to any JavaScript code you like. For our demo we will use the default
> one, being "<script>alert('XSS');</script>".
>
> STEP 3:
> Click ENTER and execute the code. A successfull demonstration will
> popup a window.
>
> EXAMPLE:
> http://example.com/webif/cgi-bin/webif.exe?cmd=<script>alert('XSS');</script>&config=[
> * ]&outconfig=[ * ]
>
> [ * ] = Depends on the server. Don't change this!
>
> ____________________
> || 0x04: GOOGLE DORK
>
> inurl:"/cgi-bin/webif/" intitle:"WEBIF"
>
> ___________________
> || 0x05: RISK LEVEL
>
> - LOW - (1/3) -
>
> <!> Happy Hacking <!>
>
> ____________________________________________________________
> ____________________________________________________________
>
> THE END
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

[Attachment #5 (text/html)]

SHUT UP PDP<br>
<br>
SEND XSS TO SECURITY BASICS <br><br><div><span class="gmail_quote">On 10/22/07, <b \
class="gmail_sendername">SkyOut</b> &lt;<a \
href="mailto:skyout@gmx.net">skyout@gmx.net</a>&gt; wrote:</span><blockquote \
class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt \
                0pt 0.8ex; padding-left: 1ex;">
-----------------------------<br>|| <a \
href="http://WWW.SMASH-THE-STACK.NET">WWW.SMASH-THE-STACK.NET</a> \
||<br>-----------------------------<br><br>|| ADVISORY: <a \
href="http://IFNET.IT">IFNET.IT</a> WEBIF XSS VULNERABILITY \
<br><br>_____________________<br>|| 0x00: ABOUT ME<br>|| 0x01: DATELINE<br>|| 0x02: \
INFORMATION<br>|| 0x03: EXPLOITATION<br>|| 0x04: GOOGLE DORK<br>|| 0x05: RISK \
LEVEL<br>____________________________________________________________ \
<br>____________________________________________________________<br><br>_________________<br>|| \
0x00: ABOUT ME<br><br>Author: SkyOut<br>Date: October 2007<br>Contact: \
skyout[-at-]smash-the-stack[-dot-]net<br>Website: <a \
href="http://www.smash-the-stack.net"> \
www.smash-the-stack.net</a><br><br>_________________<br>|| 0x01: \
DATELINE<br><br>2007-10-15: Bug found<br>2007-10-15: Email with notification sent to \
<a href="http://ifnet.it">ifnet.it</a><br>2007-10-21: Still no reaction from  <a \
href="http://ifnet.it">ifnet.it</a><br>2007-10-22: Advisory \
released<br><br>____________________<br>|| 0x02: INFORMATION<br><br>In the WEBIF \
product by the italian company ifnet, an error<br>occurs due to the fact of an \
unfiltered variable (cmd) in the <br>webif.exe program. It is possible to execute any \
JavaScript code<br>by manipulating the parameter.<br><br>_____________________<br>|| \
0x03: EXPLOITATION<br><br>To exploit this bug no exploit is needed, all can be done \
through <br>manipulation of the given URL:<br><br>STEP 1:<br>Go to the standard page \
of the WEBIF product, normally existing<br>at &quot;/cgi-bin/webif.exe&quot;. You \
will recognize some further parameters,<br>being &quot;cmd&quot;, &quot;config&quot; \
and &quot;outconfig&quot;. <br><br>STEP 2:<br>Don&#39;t change any parameter instead \
of the &quot;cmd&quot; one. Change its value<br>to any JavaScript code you like. For \
our demo we will use the default<br>one, being \
&quot;&lt;script&gt;alert(&#39;XSS&#39;);&lt;/script&gt;&quot;. <br><br>STEP \
3:<br>Click ENTER and execute the code. A successfull demonstration will<br>popup a \
window.<br><br>EXAMPLE:<br><a \
href="http://example.com/webif/cgi-bin/webif.exe?cmd=">http://example.com/webif/cgi-bin/webif.exe?cmd=
 </a>&lt;script&gt;alert(&#39;XSS&#39;);&lt;/script&gt;&amp;config=[ * \
]&amp;outconfig=[ * ]<br><br>[ * ] = Depends on the server. Don&#39;t change \
this!<br><br>____________________<br>|| 0x04: GOOGLE \
DORK<br><br>inurl:&quot;/cgi-bin/webif/&quot; intitle:&quot;WEBIF&quot; \
<br><br>___________________<br>|| 0x05: RISK LEVEL<br><br>- LOW - (1/3) \
-<br><br>&lt;!&gt; Happy Hacking \
&lt;!&gt;<br><br>____________________________________________________________<br>____________________________________________________________
 <br><br>THE END<br><br>_______________________________________________<br>Full-Disclosure \
- We believe in it.<br>Charter: <a \
href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html
 </a><br>Hosted and sponsored by Secunia - <a \
href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic