Recub Version 1.0

RECUB Features.
1 RC4 Encripted Reverce connect Shell for XP,2k,2003.
2 Bypass Firewalls by starting new instance of Internet explorer and injecting code
 

And Many More
 

Download (Win32 Version)
 

For Unix Version : Click Here

 

Date: 23/12/03
Product : miniBB 1.7 (latest) and earlier
Vendor : www.minibb.net
Discovered By : Chintan Trivedi - chesschintan [at] hotmail.com


 

============================================================
Advisory by Eye On Security Research Group - India www.eos-india.net
============================================================

1...............................................................Product
2................................................................Vendor
3.........................................................Vulnerability
4.........................................................About Product
5..............................................Details of vulnerability
6...............................................................Exploit
7..............................................................Solution
8...............................................................Credits


1. Product
==========

miniBB 1.7 (latest) and earlier


2. Vendor
=========

www.minibb.net


3. Vulnerability
================

Cross Site Scripting vulnerability in bb_func_usernfo.php


4. About miniBB
===============

(direct quote from www.minibb.net)

miniBB ("minimalistic bulletin board") is flat linear (non-tree) version of
highly customizable bulletin board. It inherits most popular features from
the bulletin boards the planet has at this moment, with one exception: it is
very small by size (2-5 times smaller than usual boards), very fast and
FREE. Mostly miniBB is designed for small and medium Internet-sites, but
also can be used in large projects.


5. Details of vulnerability
===========================

bb_func_usernfo.php contains code to take data from "minibb_users" table
and display information about a particular user requested. The code for
displaying website name of the any user in bb_func_usernfo.php is as follow

if ($row[6]!='') $row[6]='<a href="'.$row[6].'"
target="_blank">'.$row[6].'</a>'; else $row[6]='';

So an attacker can create a login in the forums and in the preferences, give
his website name as http://blah.com"></a><script>somejavascriptcode</script>

Hence when others will try to view his profile, the inserted javascript code
will be executed. The actual bug lies in the "bb_edit_prf.php" file where
the website name inserted by a user in his preferences is not validated
properly.

6. Exploit
==========

Create a user in the forums with your website name as
http://blah.com"></a><script>alert(document.cookie)</script>
Now suppose your userid is 5, then just clicking
http://[target]/index.php?action=userinfo&user=5 will execute the script.

7. Solution
===========

Check for the validation of the user data while editing his preferences in
the "bb_edit_prf.php" file and filter out strings like "<script>", quotes,
"cookie" etc.


8. Credits
==========

Chintan Trivedi - http://www.hackersprogrammers.com
"Eye on Security Research Group - India " - www.eos-india.net
 

Cross Site Scripting vulnerability in bb_func_usernfo.php
 

XSS Bug in XOOPS 1.0.5.1
Mambo Open Source 4.0.14 Webserver SQL injection.
Ltrace buffer overrun bug.

 

 

 

 

06.05.2004: Pound <=1.5 remote format string exploit (public version)
 

01.05.2004: X-Chat 1.8.0 - 2.0.8 Remote Exploit

 

06.04.2004: Monit <= 4.2 Basic Authentication - Username overflow remote root exploit

 

28.03.2004: Ethereal 0.10.0-0.10.2 IGAP Dissector Message Overflow Remote Root Exploit

 

02.3.2004: PSO-Proxy 0.9 PoC Remote Exploit
   

CopyRight © 2004 - The Eye on Security Research Group - India