Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] phpCMS <= 1.2.1 Xss Vulnerability, Information disclos

from [Cyrille Barthelemy] Network Security [Permanent Link]
Subject: [Full-Disclosure] phpCMS <= 1.2.1 Xss Vulnerability, Information disclosure
Date: Fri, 26 Nov 2004 10:53:06 +0100 
Title: phpCMS <= 1.2.1 Xss Vulnerability, Information disclosure
Affects: 
  - <= 1.2.1
Effect: Cross Site Attack (session hijacking, ...)
Id: cbsa-0006
Release Date: 2004/11/26
Author: Cyrille Barthelemy <cb-publicbox@ifrance.com>


-- 1. Introduction
------------------------
phpCMS is a content management system, easily configurable with no particular
dependency and very flexible. Please go to [1] to read a complete description 
of the project. The last version, 1.2.1, has been released on 2004, november 
22.

-- 2. Problem
------------------
An implementation error in the validation of the user input lead to an Xss 
vulnerability allowing a user to create cross site attacks, and also disclose 
information about the  server configuration when phpCMS is configured in 
non-stealth mode with debug mode activated.
Example of exploitation :
http://[somehost]/parser/parser.php?file=<script>alert(document.cookie)</script>


The error page display the input supplied by the user, without filtering, and 
the full path to the phpCMS root directory.
Example of exploitation : 
http://[somehost]/parser/parser.php?file=donotexist
=>
phpCMS 1.2.1
Error: 07: could not find file for parsing.
/var/www/localhost/htdocsdonotexists/index.htm
^^^^^^^^^^^^^^^^^^^^^^^^^


-- 3. Solution
------------------
Upgrade to the next version 1.2.1.pl1, available at : 
http://www.phpcms.de/download/index.en.html

_DO NOT_ run your configuration in debug mode with untrusted access.
_DO_ run in file stealth mode.


-- 4. References
---------------------
[1] phpCMS web site
    http://www.phpcms.de/


-- 5. History
----------------
- 2004/11/24 : vulnerability discovered
- 2004/11/24 : vendor notified
- 2004/11/25 : vendor response
- 2004/11/25 : fix released

-- 6. Contact information
----------------------------------
Cyrille Barthelemy <cb-publicbox@ifrance.com>
Web Site : http://www.cyrille-barthelemy.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] phpCMS <= 1.2.1 Xss Vulnerability, Information disclosure, Cyrille Barthelemy <=
Previous by Date:  Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched], Brett Moore
Next by Date:  [Full-Disclosure] Re: MSIE flaws: nested array sort() loop Stack overflow exception, Gadi Evron
Previous by Thread:  Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched], Brett Moore
Next by Thread:  Re: MSIE flaws: nested array sort() loop Stack overflow exception, isno
Indexes:  [Date] [Thread] [Top] [All Lists]