##########################################
Oscommerce Multiple XSS in admin section.
Vendor url:Http://www.oscommerce.com
Advisore:http://lostmon.blogspot.com/2006/11/
oscommerce-multiple-xss-in-admin.html
Vendor notify:YES Exploit available: YES
OSVDB ID:33212,33213,33214,33216,33217,33218,
Securitytracker:1017269
Secunia:SA22275
##########################################
osCommerce contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate multiple params upon submission to multiple scripts
in /admin folder.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.
####################
versions
####################
Oscommerce -2.2ms2-060817
###################
SOLUTION
###################
No solution was available at this time.
################
timeline
################
Discovered:29-10-2006
vendor notify:20-11-2006
vendor response
disclosure:21-11-2006
#################
Examples
#################
If the server have auth implemented
for exploit all of this flaws you
need to login , before.
-------------------------------
gID param in configuration.php
-------------------------------
http://[Victim]/catalog/admin/configuration.php?
gID=1">[XSS-CODE]&cID=3
--------------------------
Set param in modules.php
--------------------------
http://localhost/catalog/admin/modules.php?selected_box=modules
&set=payment">[XSS-CODE]&osCAdminID=034e6def71e10f0ca58029e93fd361e5
http://localhost/catalog/admin/modules.php?set=payment
">[XSS-CODE]&module=pm2checkout
http://localhost/catalog/admin/modules.php?set=ordertotal
&module=ot_loworderfee">[XSS-CODE]&action=edit
--------------------------------------------------
option_order_by ,value_page ,option_page ,products
_options_name in products_attributes.php
--------------------------------------------------
http://[Victim]/catalog/admin/products_attributes.php?
action=update_option&option_id=1&option_order_by=">
[XSS-CODE]&products_options_id&option_page=1
http://[Victim]/definitiva/admin/products_attributes.php?
option_order_by=products_options_id&value_page=2">[XSS-CODE]
http://[Victim]/definitiva/admin/products_attributes.php?
option_page=1&option_order_by=products_options_name">[XSS-CODE]
http://[Victim]/definitiva/admin/products_attributes.php?
action=update_option&option_id=1&option_order_by=products
_options_id&option_page=1">[XSS-CODE]
http://[Victim]/catalog/admin/products_attributes.php?
action=update_option&option_id=1&option_order_by=products
_options_id&option_page=1">[XSS-CODE]
----------------------------------------------------
lID param in languages.php
---------------------------------------------
http://localhost/definitiva/admin/languages.php?page=1&
lID=3">[XSS-CODE]&action=new
-------------------------------
selected_box,cID in customers.php
-------------------------------
http://localhost/definitiva/admin/customers.php?page=1
&cID=1[XSS-CODE]&action=edit
http://[Victim]/catalog/admin/customers.php?selected_box=
customers">[XSS-CODE]
-------------------------------
spage,zID,sID in geo_zones.php
-------------------------------
http://localhost/definitiva/admin/geo_zones.php?zpage=1&zID=1&
action=list&spage=1">[XSS-CODE]&sID=1&saction=edit
http://localhost/definitiva/admin/geo_zones.php?zpage=1&
zID=2">[XSS-CODE]&action=list&spage=1&sID=2&saction=edit
http://localhost/definitiva/admin/geo_zones.php?zpage=1
&zID=1&action=list&spage=1&sID=1">[XSS-CODE]&saction=new
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
PHPRunner database credentials disclosure
Monday, November 13, 2006
##########################################
PHPRunner database credentials disclosure
Vendor url:http://www.xlinesoft.com/phprunner/
Advisore:http://lostmon.blogspot.com/2006/11/
phprunner-database-credentials.html
Vendor notify:yes exploit available:yes
OSVDB ID:30363
Securitytracker:1017218
Secunia:SA22863
BID:21054
##########################################
Description:
PHPRunner builds visually appealing web interface
for any local or remote MySQL, MS Access, SQL Server
and Oracle databases. Your web site visitors will be
able to easily search, add, edit, delete and export
data in your database. Advanced security options allow
to build password-protected members only Web sites
easily. PHPRunner is simple to learn so you can build
your first project in just fifteen minutes.
Vulnerability:
PHPRunner contains a flaw that allow local users
to view all credentials stored in PHPRunner for work.
This flaw exist because the aplication store the
database server, database names,users and passwords
in plain text in a file located in windows folder.
A local user could access directly to
\windows\PHPRunner.ini and obtain all information.
versions
this prove is tested on version 3.1
solution:
No solution was available at this time.
Timeline:
Discovered:21-10-2006
vendor notify:13-11-2006
vendor response:13-11-2006
disclosure:13-11-2006
example:
Open c:\windows\PHPRunner.ini
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
PHPRunner database credentials disclosure
Vendor url:http://www.xlinesoft.com/phprunner/
Advisore:http://lostmon.blogspot.com/2006/11/
phprunner-database-credentials.html
Vendor notify:yes exploit available:yes
OSVDB ID:30363
Securitytracker:1017218
Secunia:SA22863
BID:21054
##########################################
Description:
PHPRunner builds visually appealing web interface
for any local or remote MySQL, MS Access, SQL Server
and Oracle databases. Your web site visitors will be
able to easily search, add, edit, delete and export
data in your database. Advanced security options allow
to build password-protected members only Web sites
easily. PHPRunner is simple to learn so you can build
your first project in just fifteen minutes.
Vulnerability:
PHPRunner contains a flaw that allow local users
to view all credentials stored in PHPRunner for work.
This flaw exist because the aplication store the
database server, database names,users and passwords
in plain text in a file located in windows folder.
A local user could access directly to
\windows\PHPRunner.ini and obtain all information.
versions
this prove is tested on version 3.1
solution:
No solution was available at this time.
Timeline:
Discovered:21-10-2006
vendor notify:13-11-2006
vendor response:13-11-2006
disclosure:13-11-2006
example:
Open c:\windows\PHPRunner.ini
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
GOOP Gallery 'image' param Cross-site scripting
Monday, October 16, 2006
################################################
GOOP Gallery 'image' param Cross-site scripting
Vendor url:http://www.webgeneius.com
Advisore:http://lostmon.blogspot.com/2006/10/
goop-gallery-image-param-cross-site.html
Vendor notify: YES Exploit available: YES
securitytracker:1017081
Secunia: SA22258
BID:20554
################################################
GOOP Gallery contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'image' param upon submission to index.php script.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server, leading
to a loss of integrity.
################
Versions
################
GOOP Gallery 2.0 vulnerable
GOOP Gallery 2.0.3 not Vulnerable
################
Solution
################
Upgrade to GOOP gallery 2.0.3as soon as possible.
http://webgeneius.com/index.php?mod=blog&id=49
Download GG2.0.3:
http://webgeneius.com/downloads/gg2.0.3.zip
################
Timeline
################
Discovered:09-10-2006
Vendor notify:14-10-2006
Vendor response:15-10-2006
Vendor Fix: 16-10-2006
Disclosure: 16-10-2006
##############
Example
##############
http://Victim/goopgallery/index.php?next=%BB&gallery=demo+gallery+1
&image=Bunny.JPG">[XSS-CODE]
http://Victim/goopgallery/index.php?gallery=demo+gallery+1
&image=Bunny.JPG">[XSS-CODE]
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
GOOP Gallery 'image' param Cross-site scripting
Vendor url:http://www.webgeneius.com
Advisore:http://lostmon.blogspot.com/2006/10/
goop-gallery-image-param-cross-site.html
Vendor notify: YES Exploit available: YES
securitytracker:1017081
Secunia: SA22258
BID:20554
################################################
GOOP Gallery contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'image' param upon submission to index.php script.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server, leading
to a loss of integrity.
################
Versions
################
GOOP Gallery 2.0 vulnerable
GOOP Gallery 2.0.3 not Vulnerable
################
Solution
################
Upgrade to GOOP gallery 2.0.3as soon as possible.
http://webgeneius.com/index.php?mod=blog&id=49
Download GG2.0.3:
http://webgeneius.com/downloads/gg2.0.3.zip
################
Timeline
################
Discovered:09-10-2006
Vendor notify:14-10-2006
Vendor response:15-10-2006
Vendor Fix: 16-10-2006
Disclosure: 16-10-2006
##############
Example
##############
http://Victim/goopgallery/index.php?next=%BB&gallery=demo+gallery+1
&image=Bunny.JPG">[XSS-CODE]
http://Victim/goopgallery/index.php?gallery=demo+gallery+1
&image=Bunny.JPG">[XSS-CODE]
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
osCommerce multiple Scripts 'page' param XSS
Tuesday, October 03, 2006
###############################################
osCommerce multiple Scripts 'page' param XSS
Vendor url: http://www.oscommerce.com
Vendor Bugtracker:http://www.oscommerce.com/community/bugs,4303
Advisore: http://lostmon.blogspot.com/2006/10/
oscommerce-multiple-scripts-page-param.html
Vendor notify:yes
OSVDB ID:29795,29796,29797,29798,29799,29800,
29801,29802,29803,29804,29805,29806,
29807,29808
Securitytracker:1016979
BID:20343
Secunia:SA22275
FrSIRT: FrSIRT/ADV-2006-3917
###############################################
osCommerce contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'page' param upon submission to multiple scripts
in /admin folder.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.
The same situation is done in 'admin/geo_zones.php' but with
param 'zpage'.
####################
vERSIONS
####################
osCommerce 2.2 Milestone 2 Update 060817
####################
SOLUTION
####################
no solution was available at this time.
#######################
VULNERABLE CODE
#######################
Arround the line 30 in banner_manager.php we
tep_redirect(tep_href_link(FILENAME_BANNER_MANAGER,
'page=' . $HTTP_GET_VARS['page'] . '&bID=' .
$HTTP_GET_VARS['bID']));
the page param is called directly , not sanitize.
arround line 115 we have a similar situation ,
we GET page param without sanitice in any GET request.
In all of scripts vulnerables, we have the same situation,
but with diferent code
####################
scripts vulnerables
####################
admin/banner_manager.php
admin/banner_statistics.php
admin/countries.php
admin/currencies.php
admin/languages.php
admin/manufacturers.php
admin/newsletters.php
admin/orders_status.php
admin/products_attributes.php
admin/products_expected.php
admin/reviews.php
admin/specials.php
admin/stats_products_purchased.php
admin/stats_products_viewed.php
admin/tax_classes.php
admin/tax_rates.php
admin/zones.php
####################
Timeline
####################
Discovered: 27-09-2006
Vendor notify:03-10-2006
Vendor response:------
Vendor fix:--------
Disclosure: 03-10-2006 (vendor Bugtracker)
Public disclosure:04-10-2006
####################
EXAMPLES
####################
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
osCommerce multiple Scripts 'page' param XSS
Vendor url: http://www.oscommerce.com
Vendor Bugtracker:http://www.oscommerce.com/community/bugs,4303
Advisore: http://lostmon.blogspot.com/2006/10/
oscommerce-multiple-scripts-page-param.html
Vendor notify:yes
OSVDB ID:29795,29796,29797,29798,29799,29800,
29801,29802,29803,29804,29805,29806,
29807,29808
Securitytracker:1016979
BID:20343
Secunia:SA22275
FrSIRT: FrSIRT/ADV-2006-3917
###############################################
osCommerce contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'page' param upon submission to multiple scripts
in /admin folder.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.
The same situation is done in 'admin/geo_zones.php' but with
param 'zpage'.
####################
vERSIONS
####################
osCommerce 2.2 Milestone 2 Update 060817
####################
SOLUTION
####################
no solution was available at this time.
#######################
VULNERABLE CODE
#######################
Arround the line 30 in banner_manager.php we
tep_redirect(tep_href_link(FILENAME_BANNER_MANAGER,
'page=' . $HTTP_GET_VARS['page'] . '&bID=' .
$HTTP_GET_VARS['bID']));
the page param is called directly , not sanitize.
arround line 115 we have a similar situation ,
we GET page param without sanitice in any GET request.
In all of scripts vulnerables, we have the same situation,
but with diferent code
####################
scripts vulnerables
####################
admin/banner_manager.php
admin/banner_statistics.php
admin/countries.php
admin/currencies.php
admin/languages.php
admin/manufacturers.php
admin/newsletters.php
admin/orders_status.php
admin/products_attributes.php
admin/products_expected.php
admin/reviews.php
admin/specials.php
admin/stats_products_purchased.php
admin/stats_products_viewed.php
admin/tax_classes.php
admin/tax_rates.php
admin/zones.php
####################
Timeline
####################
Discovered: 27-09-2006
Vendor notify:03-10-2006
Vendor response:------
Vendor fix:--------
Disclosure: 03-10-2006 (vendor Bugtracker)
Public disclosure:04-10-2006
####################
EXAMPLES
####################
http://localhost/catalog/admin/banner_manager.php?page=1[XSS-code]
http://localhost/catalog/admin/banner_statistics.php?page=1[XSS-code]
http://localhost/catalog/admin/countries.php?page=1[XSS-code]
http://localhost/catalog/admin/currencies.php?page=1[XSS-code]
http://localhost/catalog/admin/languages.php?page=1[XSS-code]
http://localhost/catalog/admin/manufacturers.php?page=1[XSS-code]
http://localhost/catalog/admin/newsletters.php?page=1[XSS-code]
http://localhost/catalog/admin/orders_status.php?page=1[XSS-code]
http://localhost/catalog/admin/products_attributes.php?page=1[XSS-code]
http://localhost/catalog/admin/products_expected.php?page=1[XSS-code]
http://localhost/catalog/admin/reviews.php?page=1[XSS-code]
http://localhost/catalog/admin/specials.php?page=1[XSS-code]
http://localhost/catalog/admin/stats_products_purchased.php?page=1[XSS-code]
http://localhost/catalog/admin/stats_products_viewed.php?page=1[XSS-code]
http://localhost/catalog/admin/tax_classes.php?page=1[XSS-code]
http://localhost/catalog/admin/tax_rates.php?page=1[XSS-code]
http://localhost/catalog/admin/zones.php?page=1[XSS-code]
this is a simple evil url but we can do some moore elaborate url
in conjuncion with other archives not vulnerables... like this:
http://localhost/catalog/admin/categories.php?action=new_product_preview
&read=only&pID=12&origin=stats_products_viewed.php?page=2[XSS-code]
######################## €nd #####################
Thnx to Estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)