GOOP Gallery 'image' param Cross-site scripting

Monday, October 16, 2006
################################################
GOOP Gallery 'image' param Cross-site scripting
Vendor url:http://www.webgeneius.com
Advisore:http://lostmon.blogspot.com/2006/10/
goop-gallery-image-param-cross-site.html
Vendor notify: YES Exploit available: YES
securitytracker:1017081
Secunia: SA22258
BID:20554
################################################



GOOP Gallery contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'image' param upon submission to index.php script.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server, leading
to a loss of integrity.

################
Versions
################

GOOP Gallery 2.0 vulnerable
GOOP Gallery 2.0.3 not Vulnerable

################
Solution
################

Upgrade to GOOP gallery 2.0.3as soon as possible.

http://webgeneius.com/index.php?mod=blog&id=49

Download GG2.0.3:
http://webgeneius.com/downloads/gg2.0.3.zip

################
Timeline
################

Discovered:09-10-2006
Vendor notify:14-10-2006
Vendor response:15-10-2006
Vendor Fix: 16-10-2006
Disclosure: 16-10-2006

##############
Example
##############

http://Victim/goopgallery/index.php?next=%BB&gallery=demo+gallery+1
&image=Bunny.JPG">[XSS-CODE]

http://Victim/goopgallery/index.php?gallery=demo+gallery+1
&image=Bunny.JPG">[XSS-CODE]

######################## €nd #####################

Thnx to Estrella to be my ligth.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

osCommerce multiple Scripts 'page' param XSS

Tuesday, October 03, 2006
###############################################
osCommerce multiple Scripts 'page' param XSS
Vendor url: http://www.oscommerce.com
Vendor Bugtracker:http://www.oscommerce.com/community/bugs,4303
Advisore: http://lostmon.blogspot.com/2006/10/
oscommerce-multiple-scripts-page-param.html
Vendor notify:yes
OSVDB ID:29795,29796,29797,29798,29799,29800,
29801,29802,29803,29804,29805,29806,
29807,29808
Securitytracker:1016979
BID:20343
Secunia:SA22275
FrSIRT: FrSIRT/ADV-2006-3917
###############################################


osCommerce contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'page' param upon submission to multiple scripts
in /admin folder.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.

The same situation is done in 'admin/geo_zones.php' but with
param 'zpage'.



####################
vERSIONS
####################

osCommerce 2.2 Milestone 2 Update 060817

####################
SOLUTION
####################

no solution was available at this time.


#######################
VULNERABLE CODE
#######################

Arround the line 30 in banner_manager.php we


tep_redirect(tep_href_link(FILENAME_BANNER_MANAGER,
'page=' . $HTTP_GET_VARS['page'] . '&bID=' .
$HTTP_GET_VARS['bID']));



the page param is called directly , not sanitize.
arround line 115 we have a similar situation ,
we GET page param without sanitice in any GET request.

In all of scripts vulnerables, we have the same situation,
but with diferent code

####################
scripts vulnerables
####################

admin/banner_manager.php
admin/banner_statistics.php
admin/countries.php
admin/currencies.php
admin/languages.php
admin/manufacturers.php
admin/newsletters.php
admin/orders_status.php
admin/products_attributes.php
admin/products_expected.php
admin/reviews.php
admin/specials.php
admin/stats_products_purchased.php
admin/stats_products_viewed.php
admin/tax_classes.php
admin/tax_rates.php
admin/zones.php

####################
Timeline
####################

Discovered: 27-09-2006
Vendor notify:03-10-2006
Vendor response:------
Vendor fix:--------
Disclosure: 03-10-2006 (vendor Bugtracker)
Public disclosure:04-10-2006

####################
EXAMPLES
####################

http://localhost/catalog/admin/banner_manager.php?page=1[XSS-code]
http://localhost/catalog/admin/banner_statistics.php?page=1[XSS-code]
http://localhost/catalog/admin/countries.php?page=1[XSS-code]
http://localhost/catalog/admin/currencies.php?page=1[XSS-code]
http://localhost/catalog/admin/languages.php?page=1[XSS-code]
http://localhost/catalog/admin/manufacturers.php?page=1[XSS-code]
http://localhost/catalog/admin/newsletters.php?page=1[XSS-code]
http://localhost/catalog/admin/orders_status.php?page=1[XSS-code]
http://localhost/catalog/admin/products_attributes.php?page=1[XSS-code]
http://localhost/catalog/admin/products_expected.php?page=1[XSS-code]
http://localhost/catalog/admin/reviews.php?page=1[XSS-code]
http://localhost/catalog/admin/specials.php?page=1[XSS-code]
http://localhost/catalog/admin/stats_products_purchased.php?page=1[XSS-code]
http://localhost/catalog/admin/stats_products_viewed.php?page=1[XSS-code]
http://localhost/catalog/admin/tax_classes.php?page=1[XSS-code]
http://localhost/catalog/admin/tax_rates.php?page=1[XSS-code]
http://localhost/catalog/admin/zones.php?page=1[XSS-code]

this is a simple evil url but we can do some moore elaborate url
in conjuncion with other archives not vulnerables... like this:



http://localhost/catalog/admin/categories.php?action=new_product_preview
&read=only&pID=12&origin=stats_products_viewed.php?page=2[XSS-code]



######################## €nd #####################

Thnx to Estrella to be my ligth.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Panda ActiveScan XSS vulnerability

Wednesday, August 09, 2006
################################################
Panda ActiveScan XSS vulnerability
Vendor urL:http://www.pandasoftware.es or .com
Advisore:http://lostmon.blogspot.com/2006/08/
panda-activescan-xss-vulnerability.html
vendor notify:yes exploit available:yes
OSVDB ID:29147
Securitytracker:1016696
BID:19471
################################################

Panda ActiveScan contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'email' variable upon submission to the ascan_6.asp
script.This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,leading
to a loss of integrity.

##########
versions:
##########

Panda ActiveScan 5.53.00

##########
Solution:
##########

Panda has release a new version of ActiveScan
at 14-08-2006

#########
timeline:
#########

discovered : 01-08-2006
vendor notify :05-08-2006
vendor response :14-08-2006
vendor fix:14-08-2006
disclosure:9-08-2005

################
test
################



http://www.pandasoftware.com/activescan/activescan/
ascan_6.asp?IdLang=2&Idvendor=17490&Idpais=63&email=
Lostmon@gmail.com%22%3E%3Cscript%3Ealert%28%27XSS%20
Vulnerability%27%29%3C/script%3E%26&pais=62&
provincia=9&tipousuario=0&enviar=1&ode=0#


######################## €nd #####################

Thnx to Estrella to be my ligth.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Multiple Vulnerabilities in PHPMailList 1.8.0

Wednesday, July 05, 2006
########################################################
Multiple Vulnerabilities in PHPMailList 1.8.0
Vendor url: http://php.warpedweb.net/
Advisore:http://lostmon.blogspot.com/2006/07/
multiple-vulnerabilities-in.html
VEndor notify:yes Explotation include:yes
osvdb id:27016,27017,27018
Securitytracker:1016439
BID:18840
FrSIRT: FrSIRT/ADV-2006-2690
########################################################

################
Description
################

PHPMailList is a powerful, yet simple to use, email announcement script.
It allows people to subscribe/unsubscribe through a web-based form,
checking for valid addresses.The web-based administration module allows
the owner to send messages to the list, subscribe/unsubscribe people,
view the list of subscriber, and configure the script.Installation is
simple, and configuration of confirmation messages, welcome messages
and goodbye messages, as well as signatures are all maintained through
the password protected administration section.

PHPMailList have multiple vulnerabilities like XSS. information disclosure
Plain text administrator username/password disclosure.

##############
versions
##############

PHPMaiLlist 1.8.0 and prior versions


#####################
Cross site scripting
#####################

PHPMailList have a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate poperly the
input parsed in the email field upon submission to '/maillist.php'
script.This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.


######################
Information disclosure
######################

direct request to file 'list.dat' reveal all email address of all suscribers.

Direct request to file 'ml_config.dat' reveal all configuration information.

#####################################
Plain text administrator disclosure:
#####################################

Direct request to file 'ml_config.dat' reveal in the first line
the admin username and in the second the admin password in plain text

######################
Timeline
######################

Discovered: 06-jun-2006
Vendor notify:No have a forum and no have a mail address...
vendor response:-------
Disclosure:06-jul-2006

######################## €nd #####################

Thnx to Estrella to be my ligth.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends