Sborg's xss vulnerability

Demon_Z

New Member
Is it just me, or is this line dangerous in sborg's index.php

Code: <?php if(!empty($_GET['del_msg'])) echo base64_decode($_GET['del_msg']); ?>Proof of concept:

Code: http://domain.com/sborg/index.php?del_msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ+ I'm no coder but it saying get del_msg means to mean at an error/delete box will appear with a message?

also, your proof of concept just shows a 404 error. Dean2k offcorse you get a 404 error, you are meant to replace domain.com with YOUR sBorg (sub)domain.

As of masterb56's post, I'm not much of a PHP expert, but as far as I know echo() will only echo the text/code within the message to the html source, meaning if you ware to send a PHP code, it wouldn't be executed. On the other hand, it may be possible to manipulate the HTML, by sending wrong/malicious HTML/JAVA code, but it don't be saved it will only be visible once when the message is sent.

right? Not really going to explain how to do xss, just want to point out the problem. I'm the only person who uses the sborg on my server, but was wondering if this might create problems with resellers etc... Yes this could be a problem is someone is a genius..

Let me put it like this.. Each message has a id.. The id is randomized.. So once the id is made it is encoded into base64.. Base 64 can be decoded but whos gonna sit there and try to figure out the id number..

It would take years to delete a message
grin.gif
.. In PHP codes, eval = BAD, echo = OK.

Echo means you are outputting data to user. So yes, you can pass javascript codes to user through it. But would anyone care explain why I would click on MY sBorg link if it looks like
Code: http://somik.a.sborg.us/sborg/index.php?del_msg=PHNjcmlwdD5hbGVydCgneHNzJyk7PC9zY3JpcHQ+I mean just the link looks suspecious enough not to click, specially when i know my sBorg url is
Code: http://somik.a.sborg.us/sborg/Btw, yes, you can edit your index page's html and PHP codes so you can make what ever changes you like to it (which is much more dangerous then a simple echo statement that requires the user to click on a suspecious link!)

.
 
Back
Top