- EXPL-A-2005-013 exploitlabs.com Advisory 042 - - mimicboard2 -
AFFECTED PRODUCTS mimicboard2 #086 < and lower http://www.chitta.com/nobu/download/#mimic2 OVERVIEW Mimic2 is a html open forum type of blog, tailored in particular to the Japaneese market ( and is very popular ) DETAILS 1. XSS Mimic2 does not properly filter malicious script content. XSS my be inserted in the name, title and comment sections, and is persistant in nature. The malicious script is the rendered upon visitation and is executed in the context of the users brower. 2. information disclosure http://[host]/mimic2.dat is viewable via the webroot and has no protection by default. mimic2 stores data in this file consisting of: a. administrator passwords b. user information including refer ip address, message content and password if one was used in the post. POC 1. input malicious iframe script into the comment, title and name sections. http://[host]/mimic2.cgi eg:<iframe src="[attacker url]"></iframe> 2. the password(s) are easily crackable as evidenced by: mimic2.dat echo mimic board2:Fdtr67zbisXVA:13 >mimic2.txt john -w:password.lst mimic2.txt Loaded 1 password (Standard DES [24/32 4K]) password (mimic board2) SOLUTION: vendor contact: [EMAIL PROTECTED] Aug 24, 2005 no response as of Sept 8, 2005 Credits This vulnerability was discovered and researched by Donnie Werner of exploitlabs mail: wood at exploitlabs.com mail: morning_wood at zone-h.org web: http://exploitlabs.com web: http://zone-h.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/