'[Full-Disclosure] XSS In mldonkey - But....'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-Disclosure] XSS In mldonkey - But....
From:       Chris Sharp <illectro2001 () yahoo ! com>
Date:       2003-10-31 19:27:45
[Download RAW message or body]

Mldonkey is an open source p2p client which supports a
load of networks, it doesn't have a built in UI, you
can telnet into it, or there's a web interface which
can be accessed from http://127.0.0.1:4080/ (or
whatever port you configure it to run on)

They've done a great job at making sure there's no XSS
issues, especially with data coming from the network.
You can inject scripts into the html error page rather
trivially using
http://127.0.0.1:4080/<script>...</script>


But who cares? There are far more dangrous things you
can do if you can make the mldonkey go to URL's for
example....
http://localhost:4080/submit?setoption=q&option=allowed_ips&value=255.255.255.255
This will unlock the IP based access control, suddenly
everyone in the world can access the search interface.


The whole control system is via http, you can search,
download, whatever all via http. If you can get the
user to go to arbitrary URL's then you can do
dangerous things directly without having to resort to
XSS, although the XSS does have some uses in terms of
automating multiple requests. 

Being really Evil is left as an exercise for the
reader.

Now, if there were some method to inject html via
responses to a p2p search, then the whole thing would
be a little more interesting. Some media files may
contain embedded URL's, that may be an interesting way
of delivering payloads across a P2P network. 

So, at the very least the web iterface should include
some referrer checking to ensure that commands aren't
being generated from untrusted pages. This is a
general problem with any application controlled via
web interfaces.

Chris



__________________________________
Do you Yahoo!?
Exclusive Video Premiere - Britney Spears
http://launch.yahoo.com/promos/britneyspears/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic