FIX XSS in RMSOFT donwload plus

Monday, August 11, 2008
fixing XSS issues in RMSOFT donwload plus


RMSOFT XSS Vulnerability
report:
http://lostmon.blogspot.com/2008/08/rmsoft-downloads-plus-two-scripts-two.html

###################
FIX $key variable
###################

open modules/rmdp/include/rmdp_functions.php

arround line 314 found function rmdp_make_searchnav()

found this code:
#####################
[code]

function rmdp_make_searchnav(){
global $xoopsDB, $xoopsTpl, $xoopsModule;

$xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));
$xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);
$key = isset($_POST['key']) ? $_POST['key'] : (isset($_GET['key']) ?($_GET['key'] : '');

$xoopsTpl->assign('key', $key);
[/code]

the variable $key is vulnerable in GET & POST.
Now add htmlspecialchars() function:
change for this other:

[code]
function rmdp_make_searchnav(){
global $xoopsDB, $xoopsTpl, $xoopsModule;

$xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));
$xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);
$key = isset($_POST['key']) ? htmlspecialchars($_POST['key']) : (isset($_GET['key']) ? htmlspecialchars($_GET['key']) : '');

$xoopsTpl->assign('key', $key);
[/code]

now variable is clean in functions, but we need to sanitize again in search.php...

open modules/rmdp/search.php

arround line 37 we found two request to $key variable:
[code]
$rmdp_location = 'search';
include('header.php');
$key = $_GET['key'];
if ($key==''){ $key=$_POST['key']; }
$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);
[/code]

need a cleaning :S use again htmlspecialchars() y GET & POST
change by this other:

[code]$rmdp_location = 'search';
include('header.php');
$key = htmlspecialchars($_GET['key']);
if ($key==''){ $key=htmlspecialchars($_POST['key']); }
$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);
[/code]

$cat aparently is sanitized , but if is a numeric value allways i ithink in use intval() like :

[code]
$cat = isset($_GET['cat']) ? intval($_GET['cat']) : (isset($_POST['cat']) ? intval($_POST['cat']) : 0);
[/code]

#############################
fix $id variable in down.php
#############################

open modules/down.php and arround line 38 found this code line:

[code]$id = $_GET['id'];[/code]

it´s a numerical variable value always and them...
yo can change by this other to sanitizing :

[code]$id = intval($_GET['id']);[/code]

##############€nd ######


Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Yogurt Social Network fans.php uid variable XSS

Sunday, August 10, 2008
##########################################
Yogurt Social Network fans.php uid variable XSS
Vendor url:http://sourceforge.net/project/
showfiles.php?group_id=204109
Advisore:http://lostmon.blogspot.com/2008/08/
yogurt-social-network-fansphp-uid.html
Vendor notify:no exploits availables:yes
##########################################


Yogurt Social Network is a social network php/Mysql script
module for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.

Yogurt Social Network contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'uid' variable upon
submission to Multiple scripts script in yogurt module.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.

##########
versions
##########

Yogurt Social Network 3.2 rc1

it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

############
Solution
############

No solution at this time !!!

###########
Examples
###########

http://localhost/impresscms/htdocs/modules/yogurt/fans.php?
uid=1">[XSS-CODE]

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

RMSOFT Downloads Plus two scripts two variables XSS

Saturday, August 09, 2008
##########################################
RMSOFT Downloads Plus two scripts two variables XSS
Vendor url:http://www.xoops-mexico.net/
Advisore:http://lostmon.blogspot.com/2008/08/
rmsoft-downloads-plus-two-scripts-two.html
Vendor notify:no exploits availables:yes
##########################################


RMSOFT Downloads Plus is a download php/Mysql script
module for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.

RMSOFT Downloads Plus contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'key' variable upon
submission to search.php script and 'id' variable upon
submision to down.php script in module. This could allow
a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading loss ofintegrity.

##########
versions
##########

RMSOFT Downloads Plus 1.5
RMSOFT Downloads Plus 1.7

it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

############
Solution
############

No solution at this time !!!

###########
Examples
###########

http://localhost/modules/rmdp/search.php?key=">[XSS-code]&cat=0

http://localhost/modules/rmdp/down.php?id=1">[XSS-code]

http://localhost/modules/rmdp/down.php?com_mode=nest&com_order=1&id=1">
[XSS-code]&cid=3#users


############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente..

Yogurt Social Network multiple scripts uid variable XSS

##########################################
Yogurt Social Network multiple scripts uid variable XSS
Vendor url:http://sourceforge.net/project/
showfiles.php?group_id=204109
Advisore:http://lostmon.blogspot.com/2008/08/
yogurt-social-network-multiple-scripts.html
Vendor notify:no exploits availables:yes
##########################################


Yogurt Social Network is a social network php/Mysql script
module for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.

Yogurt Social Network contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'uid' variable upon
submission to Multiple scripts script in yogurt module.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.

##########
versions
##########

Yogurt Social Network 3.2 rc1

it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

############
Solution
############

No solution at this time !!!

###########
Examples
###########

http://localhost/impresscms/htdocs/modules/yogurt/friends.php?
uid=1"><script>alert(1)</script>

http://localhost/impresscms/htdocs/modules/yogurt/seutubo.php?
uid=1"><script>alert(1)</script>

http://localhost/impresscms/htdocs/modules/yogurt/album.php?
uid=1"><script>alert(1)</script>

http://localhost/impresscms/htdocs/modules/yogurt/scrapbook.php?
uid=1"><script>alert(1)</script>

http://localhost/impresscms/htdocs/modules/yogurt/index.php?
uid=1"><script>alert(1)</script>

http://localhost/impresscms/htdocs/modules/yogurt/
tribes.php?uid=1"><script>alert(1)</script>

Also the a autenticated user can compose a new scrap with XSS code
in description texarea, and it is executed wen a user looks the
attacker malformed scrap.(stored XSS).


############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends