Oscommerce Multiple XSS in admin section

Monday, November 20, 2006
##########################################
Oscommerce Multiple XSS in admin section.
Vendor url:Http://www.oscommerce.com
Advisore:http://lostmon.blogspot.com/2006/11/
oscommerce-multiple-xss-in-admin.html
Vendor notify:YES Exploit available: YES
OSVDB ID:33212,33213,33214,33216,33217,33218,
Securitytracker:1017269
Secunia:SA22275

##########################################

osCommerce contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple params upon submission to multiple scripts
in /admin folder.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.



####################
versions
####################

Oscommerce -2.2ms2-060817


###################
SOLUTION
###################

No solution was available at this time.


################
timeline
################

Discovered:29-10-2006
vendor notify:20-11-2006
vendor response
disclosure:21-11-2006

#################
Examples
#################

If the server have auth implemented
for exploit all of this flaws you
need to login , before.

-------------------------------
gID param in configuration.php
-------------------------------

http://[Victim]/catalog/admin/configuration.php?
gID=1">[XSS-CODE]&cID=3

--------------------------
Set param in modules.php
--------------------------

http://localhost/catalog/admin/modules.php?selected_box=modules
&set=payment">[XSS-CODE]&osCAdminID=034e6def71e10f0ca58029e93fd361e5

http://localhost/catalog/admin/modules.php?set=payment
">[XSS-CODE]&module=pm2checkout

http://localhost/catalog/admin/modules.php?set=ordertotal
&module=ot_loworderfee">[XSS-CODE]&action=edit

--------------------------------------------------
option_order_by ,value_page ,option_page ,products
_options_name in products_attributes.php
--------------------------------------------------

http://[Victim]/catalog/admin/products_attributes.php?
action=update_option&option_id=1&option_order_by=">
[XSS-CODE]&products_options_id&option_page=1

http://[Victim]/definitiva/admin/products_attributes.php?
option_order_by=products_options_id&value_page=2">[XSS-CODE]

http://[Victim]/definitiva/admin/products_attributes.php?
option_page=1&option_order_by=products_options_name">[XSS-CODE]

http://[Victim]/definitiva/admin/products_attributes.php?
action=update_option&option_id=1&option_order_by=products
_options_id&option_page=1">[XSS-CODE]

http://[Victim]/catalog/admin/products_attributes.php?
action=update_option&option_id=1&option_order_by=products
_options_id&option_page=1">[XSS-CODE]

----------------------------------------------------
lID param in languages.php
---------------------------------------------


http://localhost/definitiva/admin/languages.php?page=1&
lID=3">[XSS-CODE]&action=new

-------------------------------
selected_box,cID in customers.php
-------------------------------

http://localhost/definitiva/admin/customers.php?page=1
&cID=1[XSS-CODE]&action=edit

http://[Victim]/catalog/admin/customers.php?selected_box=
customers">[XSS-CODE]

-------------------------------
spage,zID,sID in geo_zones.php
-------------------------------

http://localhost/definitiva/admin/geo_zones.php?zpage=1&zID=1&
action=list&spage=1">[XSS-CODE]&sID=1&saction=edit

http://localhost/definitiva/admin/geo_zones.php?zpage=1&
zID=2">[XSS-CODE]&action=list&spage=1&sID=2&saction=edit

http://localhost/definitiva/admin/geo_zones.php?zpage=1
&zID=1&action=list&spage=1&sID=1">[XSS-CODE]&saction=new

######################## €nd #####################

Thnx to Estrella to be my ligth.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

PHPRunner database credentials disclosure

Monday, November 13, 2006
##########################################
PHPRunner database credentials disclosure
Vendor url:http://www.xlinesoft.com/phprunner/
Advisore:http://lostmon.blogspot.com/2006/11/
phprunner-database-credentials.html
Vendor notify:yes exploit available:yes
OSVDB ID:30363
Securitytracker:1017218
Secunia:SA22863
BID:21054
##########################################



Description:

PHPRunner builds visually appealing web interface
for any local or remote MySQL, MS Access, SQL Server
and Oracle databases. Your web site visitors will be
able to easily search, add, edit, delete and export
data in your database. Advanced security options allow
to build password-protected members only Web sites
easily. PHPRunner is simple to learn so you can build
your first project in just fifteen minutes.

Vulnerability:

PHPRunner contains a flaw that allow local users
to view all credentials stored in PHPRunner for work.
This flaw exist because the aplication store the
database server, database names,users and passwords
in plain text in a file located in windows folder.
A local user could access directly to
\windows\PHPRunner.ini and obtain all information.

versions

this prove is tested on version 3.1

solution:

No solution was available at this time.

Timeline:

Discovered:21-10-2006
vendor notify:13-11-2006
vendor response:13-11-2006
disclosure:13-11-2006

example:

Open c:\windows\PHPRunner.ini



######################## €nd #####################

Thnx to Estrella to be my ligth.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...