Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[UNIX] Multiple Vulnerabilities in CoolPHP

from [SecuriTeam] Network Security [Permanent Link]
Subject: [UNIX] Multiple Vulnerabilities in CoolPHP
Date: 18 Oct 2004 16:16:41 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Multiple Vulnerabilities in CoolPHP
------------------------------------------------------------------------


SUMMARY

 <http://cphp.sourceforge.net/> CoolPHP is a PHP based portal system. It 
requires a Web server with PHP support and MySQL. It's compatible with 
*NIX and NT.
CoolPHP suffers from multiple vulnerabilities that allow an attacker to 
include arbitrary PHP files and perform cross site scripting attacks.

DETAILS

Vulnerable Systems:
 * CoolPHP Version 1.0-stable

Cross-Site Scripting vulnerability:
It is possible to construct a link containing arbitrary script code to a 
website running CoolPHP. When a user browses the link, the script code 
will be executed on the user's
browser. This vulnerability occurs due to insufficient inspection of some 
user-supplied input. As a result of this deficiency an attacker may 
exploit the vulnerability by creating a specially crafted URL that 
includes malicious HTML code as URI parameters for index.php
Examples:
http://example.com/index.php?op=buscar&query=<script 
language=javascript>window.alert(document.cookie);</script>
http://example.com/index.php?op=buscar&query=%3Cscript%20language= 
javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E
http://example.com/index.php?op=userinfo&nick=<script 
language=javascript>window.alert(document.cookie);</script>

Path Disclosure Vulnerability:
Passing invalid value for the 'op' URI parameter to index.php will cause 
an error message to be displayed which contains physical path information.
This information could be useful in further attacks against the system.
Example: http://example.com/cphp/index.php?op=invparam

Local file include Vulnerability with Directory Traversal:
CoolPHP does not filter dot dot slash (../) sequences from web requests. 
This problem may allow an attacker to access arbitrary files outside the 
server root
directory and will permit a local attack to include malicious PHP scripts 
from another local paths.

Examples:
http://example.com/index.php?op=../../../../anotheruser/anyfile
Or as URL encoded format:
http://example.com/index.php?op= 
%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fanotheruser/anyfile


ADDITIONAL INFORMATION

The information has been provided by  <mailto:root@cyberspy.org> 
R00tCr4ck.
The original article can be found at:  
<http://www.cyberspy.org/gam/cphp.multiple> 
http://www.cyberspy.org/gam/cphp.multiple



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [UNIX] Multiple Vulnerabilities in CoolPHP, SecuriTeam <=
Previous by Date:  [NT] Multiple Cross Site Scripting Vulnerabilities in FuseTalk, SecuriTeam
Next by Date:  [Full-Disclosure] Major Client Crash in 3D FTP, Bakchodiya
Previous by Thread:  [NT] Multiple Cross Site Scripting Vulnerabilities in FuseTalk, SecuriTeam
Next by Thread:  [Full-Disclosure] Major Client Crash in 3D FTP, Bakchodiya
Indexes:  [Date] [Thread] [Top] [All Lists]