[Full-disclosure] MHL-2006-001 Public Advisory: "Eazy Cart" Multiple Security Issues

2006-10-10 Thread Mayhemic Labs Security 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

MHL-2006-001 - Public Advisory

+---+
|Eazy Cart Multiple Security Issues |
+---+


PUBLISHED ON
  October 9th, 2006


PUBLISHED AT
  http://www.mayhemiclabs.com/advisories/MHL-2006-01.txt
  http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006001


PUBLISHED BY
  Mayhemic Labs
  http://www.mayhemiclabs.com

  security AT mayhemiclabs DOT com
  GPG key: 0x56143F84


APPLICATION
  Eazy Cart
  http://www.eazycart.com/
  "Eazy Cart the easy to install shopping cart system"


AFFECTED VERSIONS
  All Verison


ISSUES
  Eazy Cart is vulnerable to authenication bypassing,
  data injection, and XSS attacks

1) Authenication bypass
Eazy Cart does not check login credentials past the
initial login screen of the administration menu.

Example:
An attacker can access all administrative functions
without authentication by going to /admin/home/index.php.

2) Data Injection
Eazy Cart trusts user entered data implicitly, allowing
an attacker to adjust prices and other values when
ordering.

Example: A user can craft a malicious URL to submit
incorrect data to easycart.php telling it to add items
to its cart for incorrect prices, including negative
values.

3) XSS
Eazy Cart trusts user entered data implicitly, not
sanatizing it for malicious code.

Example: A user can craft a malicious URL to submit
incorrect data to easycart.php feeding it malicious
javascript

WORKAROUNDS
None at this time

SOLUTIONS
None at this time

REFERENCES
None

TIMELINE
October 3rd, 2006
Vendor/Developer Notified
October 8th, 2006
Vendor/Developer notification returned.
October 9th, 2006
Public Release  

ADDITIONAL CREDIT
  N/A

LICENSE
  Creative Commons Attribution-ShareAlike License
  http://creativecommons.org/licenses/by-sa/2.5
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFKvXhzjnMaVYUP4QRAh6bAKC6C4ZG/KkYsijeVnC2AuiwvG1O1wCeNePN
aVJsxgezSujUz7MNkJQavJ8=
=Is2h
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] MHL-2006-002 Public Advisory: "Call-Center-Software" Multiple Security Issues

2006-10-11 Thread Mayhemic Labs Security 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

MHL-2006-002 - Public Advisory

+---+
|Call-Center-Software Multiple Security Issues  |
+---+


PUBLISHED ON
  October 11th, 2006


PUBLISHED AT
  http://www.mayhemiclabs.com/advisories/MHL-2006-002.txt
  http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006002


PUBLISHED BY
  Mayhemic Labs
  http://www.mayhemiclabs.com

  security AT mayhemiclabs DOT com
  GPG key: 0x56143F84


APPLICATION
  call-center software
  http://www.call-center-software.org/

  "call-center-software is a free open-source application
  released under the GPL"


AFFECTED VERSIONS
  Versions 0.93 and below


ISSUES
  Call-Center-Software is vulnerable to multiple SQL
  injection attacks and XSS under certain conditons,
  along with privilege escalation.

1) XSS
Call-Center-Software does not escape data when handling
it allowing malicious javascript data to be inserted by
any user.This is only when Magic Quotes is disabled
within PHP.

Example:
A user entering alert("Moo!"); into
the problem description field when submitting the
problem, will cause the javascript to be executed
upon viewing or editting the problem.

2) SQL Injection
Call-Center-Software does not escape data when handling
it allowing malicious users to inject SQL commands into
the database. This is only when Magic Quotes is
disabled within PHP.

Example: By logging into the system with the user
"'or 1=1 or 1='" the attacker is let into the system with
full administrative privileges.

3) Privilege Escalation and Password Disclosure
Call-Center-Software does not check access privileges
when bringing up the "edit user" screen. This, also
combined with the lack of hashed password, discloses
any user on the system's password, username, and other
information stored within the database.

Example: When logged in as a non administrative user
a user can go to edit_user.php?user_id=1 and view the
default admin account's password. Changing the
user_id variable discloses the corresponding account's
data.


WORKAROUNDS
Enabling Magic Quotes will negate the XSS and SQL
injection attacks on affected systems.


SOLUTIONS
None at this time


REFERENCES
call-center software - http://www.call-center-software.org/


TIMELINE
September 25th, 2006
Vendor/Developer Notified
Vendor/Developer Response Recieved
Vendor/Developer Questioned on Patch Availability
No response
October 3rd, 2006
Vendor Followup
Vendor/Developer Response Recieved
Vendor/Developer Questioned on Patch Availability
No response

ADDITIONAL CREDIT
  N/A

LICENSE
  Creative Commons Attribution-ShareAlike License
  http://creativecommons.org/licenses/by-sa/2.5
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFLazmzjnMaVYUP4QRAjMLAJwPkXBBfIjxcROLm+w4NgxPi+1XZQCgpW/F
jz7P+B+SzCkde2WZOtAXFxE=
=Gth+
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] MHL-2006-003 Public Advisory: "ezOnlineGallery" Multiple Security Issues

2006-10-27 Thread Mayhemic Labs Security 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

MHL-2006-003 - Public Advisory

+---+
| ezOnlineGallery Multiple Security Issues  |
+---+


PUBLISHED ON
  October 26th, 2006


PUBLISHED AT
  http://www.mayhemiclabs.com/advisories/MHL-2006-003.txt
  http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006003


PUBLISHED BY
  Mayhemic Labs
  http://www.mayhemiclabs.com

  security AT mayhemiclabs DOT com
  GPG key: 0x56143F84


APPLICATION
  ezOnlineGallery
  http://www.ezonlinegallery.com/



AFFECTED VERSIONS
  Versions 1.3 and below


ISSUES
ezOnlineGallery allows disclosure of certain data about
the system it is installed on.

1) Valid Path Disclosures
By editing the album variable when the "show_album"
action is called on ezgallery.php, an attacker can verify
the existance of any directory on a system. The system
will attempt to display an album if the path is valid,
and will return an error if the path is invalid.

EXAMPLE:
ezgallery.php?action=show_album&album=../../../../../etc/

2) File Disclosure
By editing both the album and image variables on image.php
an attacker can view any JPG, BMP, or PNG that the apache
process has read access to.

image.php?album=../../home/jrluser/girlfriendpics&image=nude.jpg

WORKAROUNDS
None at this time

SOLUTIONS
Upgrade to 1.3.2 Beta


REFERENCES
ezOnlineGallery - http://www.ezonlinegallery.com/


TIMELINE
October 26th, 2006
Vendor/Developer Notified
Vendor/Developer Fixes Issues
Public Release


ADDITIONAL CREDIT
  N/A

LICENSE
  Creative Commons Attribution-ShareAlike License
  http://creativecommons.org/licenses/by-sa/2.5
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFQWG1zjnMaVYUP4QRAmn5AKCggkwoeoEwskcExkJtNnwWC4UBkQCgjetQ
1bjFMzRtPuveUAU6a0+ZaWg=
=yUPA
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] MHL-2006-003 Public Advisory: "mboard" file creation issue

2006-11-27 Thread Mayhemic Labs Security 
MHL-2006-004 - Public Advisory

+---+
|mboard Security Issue  |
+---+


PUBLISHED ON
  November 26th, 2006


PUBLISHED AT
  http://www.mayhemiclabs.com/advisories/MHL-2006-004.txt
  http://www.mayhemiclabs.com/wiki/wikka.php?wakka=MHL2006004


PUBLISHED BY
  Mayhemic Labs
  http://www.mayhemiclabs.com

  security AT mayhemiclabs DOT com
  GPG key: 0x56143F84


APPLICATION
  MBoard - PHP message board
  http://www.phpjunkyard.com/php-message-board.php

  "MBoard is a PHP message board script (a simple forum)."


AFFECTED VERSIONS
  Versions 1.22 and below


ISSUES
  MBoard does not check the Post ID for malicious data when replying,
  allowing an attacker to create blank files on the system wherever
  the web server has write access.

  Example: An attacker can reply to a message, and edit the "orig_id"
  variable to something malicious ("../../../../../../tmp/ZOMGHAX")
  mboard will then create the specified file (appending the
  configured extension.

WORKAROUNDS
Enabling Magic Quotes will negate the issue.


SOLUTIONS
Upgrade to version 1.3


REFERENCES
MBoard - http://www.phpjunkyard.com/php-message-board.php


TIMELINE
October 11th, 2006
Vendor/Developer Notified
Vendor/Developer Response Recieved

October 25th, 2006
Vendor/Developer Followup
Vendor/Developer Response Recieved

November 16th, 2006
Vendor/Developer Followup

November 18th, 2006
New Version Released

November 26th, 2006
Advisory Released


ADDITIONAL CREDIT
  N/A

LICENSE
  Creative Commons Attribution-ShareAlike License
  http://creativecommons.org/licenses/by-sa/2.5

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/