Snitz Forums 2000 - Bug+Fix: Cross-Site Scripting in v3.4.05

Snitz Forums 2000

Username:	Password:
Save Password
Forgot your Password?

All Forums

Snitz Forums 2000 DEV-Group

DEV Bug Reports (Closed)

Bug+Fix: Cross-Site Scripting in v3.4.05

Forum Locked

Topic Locked

Printer Friendly

Author

Topic

tHeCrEw
Starting Member

1 Posts

Posted - 29 October 2005 : 06:23:18

Hello,

I would like to report a cross-site scripting bug in vulnerability in version 3.4.05. A vulnerability example is shown below.

http://Snitzforum2Kserver/post.asp?method=Topic&FORUM_ID=1&CAT_ID=1
&Forum_Title=General+chat&type="><script>alert(12345)</script>

Thanks

tHeCrEw (h4xorCrew@gmail.com)

<

Edited by - Davio on 26 September 2006 05:41:34

Davio
Development Team Member

Jamaica
12217 Posts

Posted - 29 October 2005 : 14:27:04

In post.asp find the following code. Should be around line 499.

"              <input name=""Type"" type=""hidden"" value=""" & Request.QueryString("type") & """>" & vbNewLine & _

Change it to this:

"              <input name=""Type"" type=""hidden"" value=""" & strRqType & """>" & vbNewLine & _

This and surrounding code looks like this:

Response.Write	">" & vbNewLine & _
		"              <input name=""ARCHIVE"" type=""hidden"" value=""" & ArchiveView & """>" & vbNewLine & _
		"              <input name=""Method_Type"" type=""hidden"" value=""" & strRqMethod & """>" & vbNewLine & _
		"              <input name=""Type"" type=""hidden"" value=""" & strRqType & """>" & vbNewLine & _
		"              <input name=""REPLY_ID"" type=""hidden"" value=""" & strRqReplyID & """>" & vbNewLine & _
		"              <input name=""TOPIC_ID"" type=""hidden"" value=""" & strRqTopicID & """>" & vbNewLine & _
		"              <input name=""FORUM_ID"" type=""hidden"" value=""" & strRqForumId & """> " & vbNewLine & _
		"              <input name=""CAT_ID"" type=""hidden"" value=""" & strRqCatID & """>" & vbNewLine

In post.asp find the following code. Should be around line 74.

if Request.QueryString("REPLY_ID") <> "" then
	if IsNumeric(Request.QueryString("REPLY_ID")) = True then
		strRqReplyID = cLng(Request.QueryString("REPLY_ID"))
	else
		Response.Redirect("default.asp")
	end if
end if

And add the following code after it:

if Request.QueryString("type") <> "" then
	if strRqMethod = "URL" or strRqMethod = "EditURL" then
		strRqType = 1
	else
		strRqType = 0
	end if
end if

This and surrounding code should look like this:

if Request.QueryString("REPLY_ID") <> "" then
	if IsNumeric(Request.QueryString("REPLY_ID")) = True then
		strRqReplyID = cLng(Request.QueryString("REPLY_ID"))
	else
		Response.Redirect("default.asp")
	end if
end if
if Request.QueryString("type") <> "" then
	if strRqMethod = "URL" or strRqMethod = "EditURL" then
		strRqType = 1
	else
		strRqType = 0
	end if
end if
strCkPassWord = Request.Cookies(strUniqueID & "User")("Pword")

Davio
Development Team Member

Jamaica
12217 Posts

Posted - 29 October 2005 : 14:29:39

That is the easiest way to fix the problem. The "Type" variable shouldn't be needed in the url when creating a new forum or url. It can be easily determined by the "Method" variable. This will be fixed in the next Snitz Forums version.<

Support Snitz Forums

MarcelG
Retired Support Moderator

Netherlands
2625 Posts

Posted - 29 October 2005 : 16:21:32

I'd like to say thanks to the guys from 'tHeCrEw'!
Whitehats ; gotta love them

portfolio - linkshrinker - oxle - twitter

taropatch
Average Member

USA
741 Posts

Posted - 30 October 2005 : 00:05:26

Is this the first (only) bug fix for 3.4.05?<

Bassman
Junior Member

Netherlands
256 Posts

Posted - 30 October 2005 : 05:31:47

Thanks for the update.<

dpschaefer
Starting Member

13 Posts

Posted - 01 November 2005 : 06:47:16

Is there any way to make this post.asp file downloadable? I'm just thinking it would be easier for people than having them going in and editing code (not everyone is projock like Davio)...

-Dave<

Podge
Support Moderator

Ireland
3775 Posts

Posted - 01 November 2005 : 08:08:34

There is no guarantee that people's post.asp is not already modified i.e. they may have mods installed, in which case they will have no choice but to apply the changes manually. There's not a lot involved in doing that anyway.<

Podge.

The Hunger Site - Click to donate free food | My Blog | Snitz 3.4.05 AutoInstall (Beta!)

My Mods: CAPTCHA Mod | GateKeeper Mod
Tutorial: Enable subscriptions on your board

Warning: The post above or below may contain nuts.

dpschaefer
Starting Member

13 Posts

Posted - 01 November 2005 : 09:03:00

Actually, after adding my own mods, the robustness of adding the code is actually better. Also it doesn't take much to cut and paste, I just have to be careful. Think I answered my own question.<

webshark
Starting Member

1 Posts

Posted - 14 November 2005 : 06:22:01

Hi Guys

When is the next revision of the software due? I noticed that the current version is 3.4.05 which is the one the post.asp bug effects.

Im not a user of the software yet but hopefully will be soon and want to ensure what I download is secure without possibly missing a patch.

Thanks
Paul<

Davio
Development Team Member

Jamaica
12217 Posts

Posted - 14 November 2005 : 17:27:21

quote:
When is the next revision of the software due?

There is no set date at the moment.

quote:
I noticed that the current version is 3.4.05 which is the one the post.asp bug effects. Im not a user of the software yet but hopefully will be soon and want to ensure what I download is secure without possibly missing a patch.

There is only 1 security bug in the 3.4.05 version which is this one you are viewing. If you are ever in doubt, just keep and eye on the security forum: http://forum.snitz.com/forum/forum.asp?FORUM_ID=118<

Support Snitz Forums

Davio
Development Team Member

Jamaica
12217 Posts

Posted - 07 March 2006 : 19:47:04

Fixed in version 3.4.06<

Support Snitz Forums

Topic

Forum Locked

Topic Locked

Printer Friendly

Jump To:

Snitz Forums 2000

This page was generated in 0.18 seconds.