[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] ASPListPics

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] ASPListPics
From: "Morning Wood" <se_cur_ity@xxxxxxxxxxx>
Date: Fri, 9 Jun 2006 12:56:01 -0700

- EXPL-A-2006-003 exploitlabs.com Retro Advisory 001 -

                             - ASPListpics -




RETRO-RELEASE DATE:
===================
Nov 11, 2004

Duplicate Release: June 06, 2006
by: r0t
http://pridels.blogspot.com/2006/06/asp-listpics-43-xss-vuln.html
http://secunia.com/advisories/20517/


OVERVIEW
========
ASPListpics is a highly configurable ASP application that automatically
generates fast thumbnail web indexes of images in a folder structure.



AFFECTED PRODUCTS
=================
ASPListpics 4.x
http://www.iisworks.com



DETAILS
=======
1. XSS ( persistant )



PROOF OF CONCEPT LINKS AND RETRO-POC
=====================================
1. XSS ( Cross Site Scripting )

There is persistant XSS inclusion in the "comments"
feature of ASPListpics in the following:

field "name"
field "comment"

By embedding various types of XSS into the comment
section, we are able to render javascript in the
users browser.

below is a simple PoC ( Proof of Concept )

enter into the "comments" section malicious script.
comment: ohno<iframe src="http://whatismyip.com";></iframe>ouch

and is rendered as:

HTTP://[VUNERABLEHOST]/listpics/listpics.asp?a=rate&ID=[PICID]&Info=<SCRIPTING HERE >9000|0




CREDITS
=======
r0t - http://pridels.blogspot.com/2006/06/asp-listpics-43-xss-vuln.html



RETRO-CREDITS
=============
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs. At the original time
of discovery and retro-release date, the author was
not aware of any other advisories or patches available.

Retro-Advisories are released when either the same research
is released by a 3rd party, old private research that is no longer
active, or the product has been patched due to Vendor updates
before a formal Exploitlabs advisory was released to the public.


Donnie Werner
wood@xxxxxxxxxxxxxxx
morning_wood@xxxxxxxxxx

--
web: http://exploitlabs.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] SSL VPNs and security
Next by Date: [Full-disclosure] rPSA-2006-0099-1 openldap openldap-clients openldap-servers
Previous by thread: Re: Antw: [Full-disclosure] [SECURITY] [DSA 1034-1] New horde2 packages fixseveral vulnerabilities
Next by thread: [Full-disclosure] rPSA-2006-0099-1 openldap openldap-clients openldap-servers
Index(es):
- Date
- Thread