##########################################
PopnupBlog index.php multiple variables XSS
Vendor url:http://www.bluemooninc.biz/
Advisore:http://lostmon.blogspot.com/2008/08/
popnupblog-indexphp-multiple-variables.html
Vendor notify:no exploits availables:yes
##########################################
PopnupBlog contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'param' , 'cat_id' and
'view' variables upon submission to 'index.php' script.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.
##########
versions
##########
PopnupBlog 3.20 code name: Denali
Prior versions can be vulnerables too.
it affects This type CMS Systems if we
have instaled this module:
Xoops
e-xoops
ImpressCMS
Bcoos
and other that uses xoops code and this module.
############
Solution
############
No solution at this time !!!
But you can edit the source code and ix it like:
for fix 'param' open index.php and arround line 37 we have
[code]
$params = PopnupBlogUtils::getDateFromHttpParams();
$start = PopnupBlogUtils::getStartFromHttpParams();
$view = $BlogCNF['default_view'];
$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;
[/code]
add a line to force 'param' to return a integer:
[code]
$_GET['param'] = intval($_GET['param']);
$params = PopnupBlogUtils::getDateFromHttpParams();
$start = PopnupBlogUtils::getStartFromHttpParams();
$view = $BlogCNF['default_view'];
$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;
[/code]
for fix 'cat_id' and 'view' open index.php and arround line 129 :
[code]
$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email
$cat_id=0;
if (isset($_GET['cat_id'])) $cat_id = $_GET['cat_id'];
if (isset($_POST['cat_id'])) $cat_id = $_POST['cat_id'];
$xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));
if (isset($_GET['view'])) $view = $_GET['view'];
if (isset($_POST['view'])) $view = $_POST['view'];
[/code]
add intval to force variables to return an integer like:
[code]
$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email
$cat_id=0;
if (isset($_GET['cat_id'])) $cat_id = intval($_GET['cat_id']);
if (isset($_POST['cat_id'])) $cat_id = intval($_POST['cat_id']);
$xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));
if (isset($_GET['view'])) $view = intval($_GET['view']);
if (isset($_POST['view'])) $view = intval($_POST['view']);
[/code]
###########
Examples
###########
http://localhost/modules/popnupblog/index.php?param=1
">[XSS-CODE]&start=0,10&cat_id=&view=1
http://localhost/modules/popnupblog/index.php?param=
&start=0,10&cat_id=">[XSS-CODE]&view=1
http://localhost/modules/popnupblog/index.php?param=
&start=0,10&cat_id=&view=1">[XSS-CODE]
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
PHPizabi v0.848b traversal file access
Friday, August 15, 2008
##########################################
PHPizabi v0.848b traversal file access
Vendor url:http://www.phpizabi.net/
Advisore:http://lostmon.blogspot.com/2008/08/
phpizabi-v0848b-traversal-file-access.html
Vendor notify:no exploit available:yes
##########################################
############################
Description By vendor page:
############################
PHPizabi is one of the most powerful social networking
platforms on the planet. With literally thousands of
websites powered by PHPizabi including everything from
simple friends sites to the most complex networking
super sites out there. Easy to install, use, and raising
the bar on what it is to provide a reliable, fast, social
networking package to raise your business to the next level.
##########################
Vulnerability description
##########################
PHPizabi contains a flaw that allows a remote traversal
arbitrary folder enumeration.This flaw exists because the
application does not validate 'query' variable upon submission
to 'index.php' scripts wen 'L' param is set to 'blogs.search'.
This could allow a remote users to create a specially crafted
URL that would execute '../' directory traversal characters to
view folder files on the target system with the privileges
of the target web service.
#################
Versions
################·
PHPizabi v0.848b C1 HFP3
###################
Solution
###################
At this moment ,no have solution for Traversal vuln.
For solve XSS issue in search blogs update to sp3
of this system:
Download sp3:
http://online.phpizabi.net/distribution/0848bC1_HFP3.zip
###################
Timeline
##################
Dicovered:10-08-2008
vendor notify: 14-08-2008
Vendor response:
Public Disclosure:15-08-2008
###################
Proof of Concept.
###################
#############
XSS
#############
if the sito don´t have instaled 848 Core HotFix Pack 3
(0848bC1_HFP3.zip) this system have one XSS hole in query
variable upon submision to index.php script wen L param is
set to blogs.search:
http://localhost/phpizabi/index.php?L=blogs.search&query=
[XSS-CODE]boolean=or&sin%5B%5D=title&sin
%5B%5D=body&order=natural&direction=asc
#####################
Traversal file access
#####################
For exploit this issue The attacker
need a Admin account.
http://localhost/phpizabi/index.php?L=
admin.templates.edittemplate&id=../../../boot.ini
we can too 'view' the html source code generated by
a remote server like :
http://localhost/phpizabi/index.php?
L=admin.templates.edittemplate
&id=http://[Remote-HOST]/folder/file.php
but i don't know if with this we can do something...
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
PHPizabi v0.848b traversal file access
Vendor url:http://www.phpizabi.net/
Advisore:http://lostmon.blogspot.com/2008/08/
phpizabi-v0848b-traversal-file-access.html
Vendor notify:no exploit available:yes
##########################################
############################
Description By vendor page:
############################
PHPizabi is one of the most powerful social networking
platforms on the planet. With literally thousands of
websites powered by PHPizabi including everything from
simple friends sites to the most complex networking
super sites out there. Easy to install, use, and raising
the bar on what it is to provide a reliable, fast, social
networking package to raise your business to the next level.
##########################
Vulnerability description
##########################
PHPizabi contains a flaw that allows a remote traversal
arbitrary folder enumeration.This flaw exists because the
application does not validate 'query' variable upon submission
to 'index.php' scripts wen 'L' param is set to 'blogs.search'.
This could allow a remote users to create a specially crafted
URL that would execute '../' directory traversal characters to
view folder files on the target system with the privileges
of the target web service.
#################
Versions
################·
PHPizabi v0.848b C1 HFP3
###################
Solution
###################
At this moment ,no have solution for Traversal vuln.
For solve XSS issue in search blogs update to sp3
of this system:
Download sp3:
http://online.phpizabi.net/distribution/0848bC1_HFP3.zip
###################
Timeline
##################
Dicovered:10-08-2008
vendor notify: 14-08-2008
Vendor response:
Public Disclosure:15-08-2008
###################
Proof of Concept.
###################
#############
XSS
#############
if the sito don´t have instaled 848 Core HotFix Pack 3
(0848bC1_HFP3.zip) this system have one XSS hole in query
variable upon submision to index.php script wen L param is
set to blogs.search:
http://localhost/phpizabi/index.php?L=blogs.search&query=
[XSS-CODE]boolean=or&sin%5B%5D=title&sin
%5B%5D=body&order=natural&direction=asc
#####################
Traversal file access
#####################
For exploit this issue The attacker
need a Admin account.
http://localhost/phpizabi/index.php?L=
admin.templates.edittemplate&id=../../../boot.ini
we can too 'view' the html source code generated by
a remote server like :
http://localhost/phpizabi/index.php?
L=admin.templates.edittemplate
&id=http://[Remote-HOST]/folder/file.php
but i don't know if with this we can do something...
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
FIX XSS in RMSOFT donwload plus
Monday, August 11, 2008
fixing XSS issues in RMSOFT donwload plus
RMSOFT XSS Vulnerability
report:
http://lostmon.blogspot.com/2008/08/rmsoft-downloads-plus-two-scripts-two.html
###################
FIX $key variable
###################
open modules/rmdp/include/rmdp_functions.php
arround line 314 found function rmdp_make_searchnav()
found this code:
#####################
[code]
function rmdp_make_searchnav(){
global $xoopsDB, $xoopsTpl, $xoopsModule;
$xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));
$xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);
$key = isset($_POST['key']) ? $_POST['key'] : (isset($_GET['key']) ?($_GET['key'] : '');
$xoopsTpl->assign('key', $key);
[/code]
the variable $key is vulnerable in GET & POST.
Now add htmlspecialchars() function:
change for this other:
[code]
function rmdp_make_searchnav(){
global $xoopsDB, $xoopsTpl, $xoopsModule;
$xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));
$xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);
$key = isset($_POST['key']) ? htmlspecialchars($_POST['key']) : (isset($_GET['key']) ? htmlspecialchars($_GET['key']) : '');
$xoopsTpl->assign('key', $key);
[/code]
now variable is clean in functions, but we need to sanitize again in search.php...
open modules/rmdp/search.php
arround line 37 we found two request to $key variable:
[code]
$rmdp_location = 'search';
include('header.php');
$key = $_GET['key'];
if ($key==''){ $key=$_POST['key']; }
$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);
[/code]
need a cleaning :S use again htmlspecialchars() y GET & POST
change by this other:
[code]$rmdp_location = 'search';
include('header.php');
$key = htmlspecialchars($_GET['key']);
if ($key==''){ $key=htmlspecialchars($_POST['key']); }
$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);
[/code]
$cat aparently is sanitized , but if is a numeric value allways i ithink in use intval() like :
[code]
$cat = isset($_GET['cat']) ? intval($_GET['cat']) : (isset($_POST['cat']) ? intval($_POST['cat']) : 0);
[/code]
#############################
fix $id variable in down.php
#############################
open modules/down.php and arround line 38 found this code line:
[code]$id = $_GET['id'];[/code]
it´s a numerical variable value always and them...
yo can change by this other to sanitizing :
[code]$id = intval($_GET['id']);[/code]
##############€nd ######
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
RMSOFT XSS Vulnerability
report:
http://lostmon.blogspot.com/2008/08/rmsoft-downloads-plus-two-scripts-two.html
###################
FIX $key variable
###################
open modules/rmdp/include/rmdp_functions.php
arround line 314 found function rmdp_make_searchnav()
found this code:
#####################
[code]
function rmdp_make_searchnav(){
global $xoopsDB, $xoopsTpl, $xoopsModule;
$xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));
$xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);
$key = isset($_POST['key']) ? $_POST['key'] : (isset($_GET['key']) ?($_GET['key'] : '');
$xoopsTpl->assign('key', $key);
[/code]
the variable $key is vulnerable in GET & POST.
Now add htmlspecialchars() function:
change for this other:
[code]
function rmdp_make_searchnav(){
global $xoopsDB, $xoopsTpl, $xoopsModule;
$xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));
$xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);
$key = isset($_POST['key']) ? htmlspecialchars($_POST['key']) : (isset($_GET['key']) ? htmlspecialchars($_GET['key']) : '');
$xoopsTpl->assign('key', $key);
[/code]
now variable is clean in functions, but we need to sanitize again in search.php...
open modules/rmdp/search.php
arround line 37 we found two request to $key variable:
[code]
$rmdp_location = 'search';
include('header.php');
$key = $_GET['key'];
if ($key==''){ $key=$_POST['key']; }
$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);
[/code]
need a cleaning :S use again htmlspecialchars() y GET & POST
change by this other:
[code]$rmdp_location = 'search';
include('header.php');
$key = htmlspecialchars($_GET['key']);
if ($key==''){ $key=htmlspecialchars($_POST['key']); }
$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);
[/code]
$cat aparently is sanitized , but if is a numeric value allways i ithink in use intval() like :
[code]
$cat = isset($_GET['cat']) ? intval($_GET['cat']) : (isset($_POST['cat']) ? intval($_POST['cat']) : 0);
[/code]
#############################
fix $id variable in down.php
#############################
open modules/down.php and arround line 38 found this code line:
[code]$id = $_GET['id'];[/code]
it´s a numerical variable value always and them...
yo can change by this other to sanitizing :
[code]$id = intval($_GET['id']);[/code]
##############€nd ######
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Yogurt Social Network fans.php uid variable XSS
Sunday, August 10, 2008
##########################################
Yogurt Social Network fans.php uid variable XSS
Vendor url:http://sourceforge.net/project/
showfiles.php?group_id=204109
Advisore:http://lostmon.blogspot.com/2008/08/
yogurt-social-network-fansphp-uid.html
Vendor notify:no exploits availables:yes
##########################################
Yogurt Social Network is a social network php/Mysql script
module for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.
Yogurt Social Network contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'uid' variable upon
submission to Multiple scripts script in yogurt module.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.
##########
versions
##########
Yogurt Social Network 3.2 rc1
it affects This type CMS Systems if we
have instaled this module:
Xoops
e-xoops
ImpressCMS
Bcoos
and other that uses xoops code and this module.
############
Solution
############
No solution at this time !!!
###########
Examples
###########
http://localhost/impresscms/htdocs/modules/yogurt/fans.php?
uid=1">[XSS-CODE]
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Yogurt Social Network fans.php uid variable XSS
Vendor url:http://sourceforge.net/project/
showfiles.php?group_id=204109
Advisore:http://lostmon.blogspot.com/2008/08/
yogurt-social-network-fansphp-uid.html
Vendor notify:no exploits availables:yes
##########################################
Yogurt Social Network is a social network php/Mysql script
module for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.
Yogurt Social Network contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'uid' variable upon
submission to Multiple scripts script in yogurt module.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.
##########
versions
##########
Yogurt Social Network 3.2 rc1
it affects This type CMS Systems if we
have instaled this module:
Xoops
e-xoops
ImpressCMS
Bcoos
and other that uses xoops code and this module.
############
Solution
############
No solution at this time !!!
###########
Examples
###########
http://localhost/impresscms/htdocs/modules/yogurt/fans.php?
uid=1">[XSS-CODE]
############## €nd ###################
Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)