PHPRunner database credentials disclosure

Monday, November 13, 2006
##########################################
PHPRunner database credentials disclosure
Vendor url:http://www.xlinesoft.com/phprunner/
Advisore:http://lostmon.blogspot.com/2006/11/
phprunner-database-credentials.html
Vendor notify:yes exploit available:yes
OSVDB ID:30363
Securitytracker:1017218
Secunia:SA22863
BID:21054
##########################################



Description:

PHPRunner builds visually appealing web interface
for any local or remote MySQL, MS Access, SQL Server
and Oracle databases. Your web site visitors will be
able to easily search, add, edit, delete and export
data in your database. Advanced security options allow
to build password-protected members only Web sites
easily. PHPRunner is simple to learn so you can build
your first project in just fifteen minutes.

Vulnerability:

PHPRunner contains a flaw that allow local users
to view all credentials stored in PHPRunner for work.
This flaw exist because the aplication store the
database server, database names,users and passwords
in plain text in a file located in windows folder.
A local user could access directly to
\windows\PHPRunner.ini and obtain all information.

versions

this prove is tested on version 3.1

solution:

No solution was available at this time.

Timeline:

Discovered:21-10-2006
vendor notify:13-11-2006
vendor response:13-11-2006
disclosure:13-11-2006

example:

Open c:\windows\PHPRunner.ini



######################## €nd #####################

Thnx to Estrella to be my ligth.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

GOOP Gallery 'image' param Cross-site scripting

Monday, October 16, 2006
################################################
GOOP Gallery 'image' param Cross-site scripting
Vendor url:http://www.webgeneius.com
Advisore:http://lostmon.blogspot.com/2006/10/
goop-gallery-image-param-cross-site.html
Vendor notify: YES Exploit available: YES
securitytracker:1017081
Secunia: SA22258
BID:20554
################################################



GOOP Gallery contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'image' param upon submission to index.php script.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server, leading
to a loss of integrity.

################
Versions
################

GOOP Gallery 2.0 vulnerable
GOOP Gallery 2.0.3 not Vulnerable

################
Solution
################

Upgrade to GOOP gallery 2.0.3as soon as possible.

http://webgeneius.com/index.php?mod=blog&id=49

Download GG2.0.3:
http://webgeneius.com/downloads/gg2.0.3.zip

################
Timeline
################

Discovered:09-10-2006
Vendor notify:14-10-2006
Vendor response:15-10-2006
Vendor Fix: 16-10-2006
Disclosure: 16-10-2006

##############
Example
##############

http://Victim/goopgallery/index.php?next=%BB&gallery=demo+gallery+1
&image=Bunny.JPG">[XSS-CODE]

http://Victim/goopgallery/index.php?gallery=demo+gallery+1
&image=Bunny.JPG">[XSS-CODE]

######################## €nd #####################

Thnx to Estrella to be my ligth.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

osCommerce multiple Scripts 'page' param XSS

Tuesday, October 03, 2006
###############################################
osCommerce multiple Scripts 'page' param XSS
Vendor url: http://www.oscommerce.com
Vendor Bugtracker:http://www.oscommerce.com/community/bugs,4303
Advisore: http://lostmon.blogspot.com/2006/10/
oscommerce-multiple-scripts-page-param.html
Vendor notify:yes
OSVDB ID:29795,29796,29797,29798,29799,29800,
29801,29802,29803,29804,29805,29806,
29807,29808
Securitytracker:1016979
BID:20343
Secunia:SA22275
FrSIRT: FrSIRT/ADV-2006-3917
###############################################


osCommerce contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'page' param upon submission to multiple scripts
in /admin folder.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.

The same situation is done in 'admin/geo_zones.php' but with
param 'zpage'.



####################
vERSIONS
####################

osCommerce 2.2 Milestone 2 Update 060817

####################
SOLUTION
####################

no solution was available at this time.


#######################
VULNERABLE CODE
#######################

Arround the line 30 in banner_manager.php we


tep_redirect(tep_href_link(FILENAME_BANNER_MANAGER,
'page=' . $HTTP_GET_VARS['page'] . '&bID=' .
$HTTP_GET_VARS['bID']));



the page param is called directly , not sanitize.
arround line 115 we have a similar situation ,
we GET page param without sanitice in any GET request.

In all of scripts vulnerables, we have the same situation,
but with diferent code

####################
scripts vulnerables
####################

admin/banner_manager.php
admin/banner_statistics.php
admin/countries.php
admin/currencies.php
admin/languages.php
admin/manufacturers.php
admin/newsletters.php
admin/orders_status.php
admin/products_attributes.php
admin/products_expected.php
admin/reviews.php
admin/specials.php
admin/stats_products_purchased.php
admin/stats_products_viewed.php
admin/tax_classes.php
admin/tax_rates.php
admin/zones.php

####################
Timeline
####################

Discovered: 27-09-2006
Vendor notify:03-10-2006
Vendor response:------
Vendor fix:--------
Disclosure: 03-10-2006 (vendor Bugtracker)
Public disclosure:04-10-2006

####################
EXAMPLES
####################

http://localhost/catalog/admin/banner_manager.php?page=1[XSS-code]
http://localhost/catalog/admin/banner_statistics.php?page=1[XSS-code]
http://localhost/catalog/admin/countries.php?page=1[XSS-code]
http://localhost/catalog/admin/currencies.php?page=1[XSS-code]
http://localhost/catalog/admin/languages.php?page=1[XSS-code]
http://localhost/catalog/admin/manufacturers.php?page=1[XSS-code]
http://localhost/catalog/admin/newsletters.php?page=1[XSS-code]
http://localhost/catalog/admin/orders_status.php?page=1[XSS-code]
http://localhost/catalog/admin/products_attributes.php?page=1[XSS-code]
http://localhost/catalog/admin/products_expected.php?page=1[XSS-code]
http://localhost/catalog/admin/reviews.php?page=1[XSS-code]
http://localhost/catalog/admin/specials.php?page=1[XSS-code]
http://localhost/catalog/admin/stats_products_purchased.php?page=1[XSS-code]
http://localhost/catalog/admin/stats_products_viewed.php?page=1[XSS-code]
http://localhost/catalog/admin/tax_classes.php?page=1[XSS-code]
http://localhost/catalog/admin/tax_rates.php?page=1[XSS-code]
http://localhost/catalog/admin/zones.php?page=1[XSS-code]

this is a simple evil url but we can do some moore elaborate url
in conjuncion with other archives not vulnerables... like this:



http://localhost/catalog/admin/categories.php?action=new_product_preview
&read=only&pID=12&origin=stats_products_viewed.php?page=2[XSS-code]



######################## €nd #####################

Thnx to Estrella to be my ligth.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Panda ActiveScan XSS vulnerability

Wednesday, August 09, 2006
################################################
Panda ActiveScan XSS vulnerability
Vendor urL:http://www.pandasoftware.es or .com
Advisore:http://lostmon.blogspot.com/2006/08/
panda-activescan-xss-vulnerability.html
vendor notify:yes exploit available:yes
OSVDB ID:29147
Securitytracker:1016696
BID:19471
################################################

Panda ActiveScan contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'email' variable upon submission to the ascan_6.asp
script.This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,leading
to a loss of integrity.

##########
versions:
##########

Panda ActiveScan 5.53.00

##########
Solution:
##########

Panda has release a new version of ActiveScan
at 14-08-2006

#########
timeline:
#########

discovered : 01-08-2006
vendor notify :05-08-2006
vendor response :14-08-2006
vendor fix:14-08-2006
disclosure:9-08-2005

################
test
################



http://www.pandasoftware.com/activescan/activescan/
ascan_6.asp?IdLang=2&Idvendor=17490&Idpais=63&email=
Lostmon@gmail.com%22%3E%3Cscript%3Ealert%28%27XSS%20
Vulnerability%27%29%3C/script%3E%26&pais=62&
provincia=9&tipousuario=0&enviar=1&ode=0#


######################## €nd #####################

Thnx to Estrella to be my ligth.

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends