____________________________________________________________________________
____________________________________________________________________________

01010111 01001001 01010010 01000101 01000100  01010011 ->
01000101 01000011 01010101 01010010 01001001  01010100 ->
01011001                                                      

____________________________________________________________________________
ADVISORY: SF-Shoutbox 1.2.1 <= 1.4 HTML/JS Injection Vulnerability
____________________________________________________________________________

_____________________
|| 0x00: ABOUT ME
|| 0x01: DATELINE
|| 0x02: INFORMATION
|| 0x03: EXPLOITATION
|| 0x04: GOOGLE DORK
|| 0x05: RISK LEVEL

____________________________________________________________
____________________________________________________________

_________________
|| 0x00: ABOUT ME

Author: SkyOut
Date: November 2007
Website: http://wired-security.net/

_________________
|| 0x01: DATELINE

2007-11-02: Bug found
2007-11-03: Advisory released

____________________
|| 0x02: INFORMATION

The Shoutbox software provided by Script-Fun.de is vulnerable to HTML
and JavaScript injection. It is possible to execute code or manipulate
the whole page. The fields for "Name" and "Shout" are not sanitized and
therefore both can be manipulated with malicious content.

_____________________
|| 0x03: EXPLOITATION

No exploit is needed to test this vulnerability. You just need a working
web browser.

1: HTML Injection

Go to the main page of the Shoutbox software, normally located at "main.php"
and input HTML code into the Name and/or Shout field. To make the whole shouts
being overlayed by your website you simple put

<meta http-equiv="refresh" content="0; URL=http://example.com/">

into the field(s)!

2: JavaScript Injection

Go to the main page of the Shoutbox software, normally located at "main.php"
and input the needed JavaScript code into the Name and/or Shout field. For
example a simple popup could be constructed by inputting

<script>alert("XSS");</script> ...

If you manipulate both fields the code will be executed twice. The more often
you do this, the more often the code will be executed.

____________________
|| 0x04: GOOGLE DORK

intext:"SF-Shoutbox"

___________________
|| 0x05: RISK LEVEL

I would consider this a low critical vulnerability as this software is not
widely used. Nevertheless in bad cases an attacker could manipulate different
sites to show up his page, which then could try to attack the users browser
with common exploits, similar to IFrame injection.

<!> Happy Hacking <!>

____________________________________________________________________________
____________________________________________________________________________

EOF