Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PC-EXPERIENCE/TOPPE CMS Security Advisory

from [rat] Network Security [Permanent Link]
Subject: PC-EXPERIENCE/TOPPE CMS Security Advisory
Date: 30 Jul 2005 15:09:50 -0000 



# PC-EXPERIENCE/TOPPE CMS Security Advisory
# By : Morinex
# E-Mail : rat@marocmaffia.com
# Date : 30-07-2K5 ( so lazzy this summer )
# Shoutz : Woopie , sirh0t , 00pz , V1su4l and the gay´s of 0x1fe. I hate them 
so much isnt Falesco ? 0x1fe.com :)

Vulnerabilities


* User-ID Bypassing ( remote )
* Cross Site Scripting ( local )


We have founded a USER-ID disclosure and a XXS vuln. on the PM. I dont have time
to tell the full story about PCXP/TOPPE CMS so let´s tell a brief history about 
this CMS.
The CMS was coded by Alex of PCXP and after that he made it public for everyone.
Later there was a guy named Toppe who modded the source and recoded the admin. 
Dunno if its true but i heard a lot about this gay on wmc´s but anyway lets 
take a look on the vuln´s.


Download the PC-XP source V2 on :  http://members.lycos.nl/toppecms/pcexpv2.rar 
( "Modded" )
Download the PC-XP source V1.15 on : 
http://members.lycos.nl/toppecms/pcxv1.15.zip




# USER-ID BYPASSING  ( remote )


Let´s start directly . We are gonna get acces on every user-id i want on a 
PC-XP/TOPPE cms.
Let´s visit one target. wmhulp dot nl , hmmz now we are gonna check the cookie 
of wmhulp.
C:\Documents and Settings\Morinex\Cookies , and i found this cookie on it :

wmhulp.nl  FALSE  /  FALSE  1144851286  hash  81859
wmhulp.nl  FALSE  /  FALSE  1144851286  id  48
wmhulp.nl  FALSE  /  FALSE  1144851286  wachtwoord  
098f6bcd4621d373cade4e832627b4f6

as we see i am user ID 48 (registered before ) and my password is 
098f6bcd4621d373cade4e832627b4f6 (md5) .
If u cat login.php and scroll down u will see this "if($assoc['userid'] == 
$_COOKIE['id'] AND $actie == bekijk){ "
If u have a litle php exp u will see that $actie only is checking if the userid 
and cookie are the same. So its easy to exploit
just edit 48 with ure own ID number . U can see ure ID number on the members 
list ( ledenlijst.php ) .
After that we save the cookie and visit the page i am logged in with the userid 
i want. We have now full acces on PCXP/TOPPE CMS.
Take a look on the admin page ;> or kind of that.


# Cross Site Scripting Vuln. ( local )

This one is located on the pm page. ( pm.php )
Javascript is enabled so we can easy steal cookie´s. Im not here to explain how 
but as u see
we can run javascript on it so its vuln for XSS attack´s. Just enter this on 
the $msg
<script>alert(document.cookie)</script> and he will see a alert.




# Solution


There is no solution at the moment and there will not come one.
PX-XP is stopped a long long time ago and TOPPE is not happy when we are 
spreading the CMS to the public.
The only solution for this one is stopping using this CMS and take a look on 
PHPNUKE, MAMBO etc. ffs he is self
using now Mambo CMS on his mainpage ( toppedotnl )
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • PC-EXPERIENCE/TOPPE CMS Security Advisory, rat <=
Previous by Date:  Kayako liveResponse Multiple Vulnerabilities, GulfTech Security Research
Next by Date:  Kent's Guestbook database exploit, l--s
Previous by Thread:  Kayako liveResponse Multiple Vulnerabilities, GulfTech Security Research
Next by Thread:  Kent's Guestbook database exploit, l--s
Indexes:  [Date] [Thread] [Top] [All Lists]