HC's Capture the Flag website
CTF Contests
25C3-CTF
25C3-CTF final results
Advisory #95
From team h4ck!nb3rg
New advisory by : churchy
Affected service(s): ultrashare
Severity [lmh] : low
How is the atmosphrere there in berlin? are many people watchin the local teams or the operators?
===== Problem =====
The script "test.rb" is not validating and ecaping values that are read drom the DB and is therefore vulnerable to XML injection attacks. If there is an XML structure stored in the DB, as any user can do for example by choosing a user name containing XML
tructures, the user can manipulate the resulting XML structure from "test.rb".
This can trick any script that uses the output XML structure for futher üprocessing. Choose for example a username like: parsers</username><files><file id='haha'>flax.txt</file></files></user></users></tests></testrun><!--
===== Impact =====
As described above, the XML structure can be manipulated. For example there can be users or files inserted that do not really exist in the DB.
===== Fix =====
When savin values in the DB (for example a username) values like "<" or ">" need to be escaped. Do for example:
user.gsub("<","<")
user.gsub(">",">")
Rating
[1] Just a small test script, but you;re right. This is a bug.