Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

JAF CMS 4.0 RC1 multiple vulnerabilities

from [nanoymaster] Network Security [Permanent Link]
Subject: JAF CMS 4.0 RC1 multiple vulnerabilities
Date: 26 Sep 2006 20:16:53 -0000 
##################################################################################
##                                          ##          _    _  _    _          
##
##   Hacker:  NanoyMaster                   ##       /||  \ | || \  / ||\       
##
##   Exploit: JAF CMS                       ##      / || |\\| ||  \/  || \      
##
##   Version: 4.0 RC1                       ##      \ || | \  || |\/| || /      
##
##                                          ##       \||_|  \_||_|  |_||/       
##
##################################################################################
##   vulnerabilities:   XSS in shoutbox                                         
##
##                      PHP execution                                           
##
##                      XSS in forum                                            
##
##                                                                              
##
##################################################################################
##                             \m/___Props___\m/                                
##
##                                 z3r0phr34k                                   
##
##                               System_Meltdown                                
##
##                              THK-GEO & THK-h3x                               
##
##                             All of Exploitarians                             
##
##################################################################################


//------------------------------------------------------------------------------//
//                                  XSS in shoutbox                             
//
//------------------------------------------------------------------------------//

Self explanitory... in the message body put: <script>alert('hi')</script>

Error:  module/shout/jafshout.php
 Line:  168 - 202

187 - 191 {
$message = preg_replace('/"/','',$_POST['message']);
$message = preg_replace("/>/","&gt;",$_POST['message']);
$message = preg_replace("/</","&lt;",$_POST['message']);
$message = str_replace("onmouse","",$_POST['message']);
$message = str_replace("/\/","edited",$_POST['message']);
}

change the relevent lines to look like the following, bar the first 
$_POST['message'].

187 - 191 {
$message = preg_replace('/"/','',$message);
$message = preg_replace("/>/","&gt;",$message);
$message = preg_replace("/</","&lt;",$message);
$message = str_replace("onmouse","",$message);
$message = str_replace("/\/","edited",$message);
}
etc etc.

*note* 
        This should be implemented on all of the variables stored to the 
flat-file
        module/files/shout 
*end note*


//------------------------------------------------------------------------------//
//                                  PHP execution                               
//
//------------------------------------------------------------------------------//

Yet again in the shoutbox type something like:

Windoze) <?php system(dir); ?>  
  Linux) <?php system(ls -la); ?>
  
you could see how usefull this could be ;) possably overwright 
admin/data_inc.php
(where the admin's password hash is) :p
  
Error: module/shout/jafshout.php
 Line: 168 - 202
Patch: (see above code)


//------------------------------------------------------------------------------//
//                                  XSS in forum                                
//
//------------------------------------------------------------------------------//

Self explanitory... in the message body put: <script>alert('hi')</script>

Error:  module/forum/topicwin.php
 Line:  112- 123

112 - 117 {
        $n_topic["name"]=$name;
        $n_topic["email"]=$email;
        $n_topic["title"]=$title;
        $n_topic["date"]=$date;
        $n_topic["ldate"]=$date;
        $n_topic["lname"]=$name;
}

change the relevent lines to look like the following.

112 - 117 {
        $n_topic["name"]=htmlentities($name, ENT_QUOTES);
        $n_topic["email"]=htmlentities($email, ENT_QUOTES);
        $n_topic["title"]=htmlentities($title, ENT_QUOTES);
        $n_topic["date"]=htmlentities($date, ENT_QUOTES);
        $n_topic["ldate"]=htmlentities($date, ENT_QUOTES);
        $n_topic["lname"]=htmlentities($name, ENT_QUOTES);        
}
etc etc.

//------------------------------------------------------------------------------//
//                               End                                            
//
//------------------------------------------------------------------------------//
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • JAF CMS 4.0 RC1 multiple vulnerabilities, nanoymaster <=
Previous by Date:  Re: VML Exploit vs. AV/IPS/IDS signatures, Pukhraj Singh
Next by Date:  Re: XSS in AckerTodo v4.0, hensleyrob
Previous by Thread:  Free Rainbow Tables.com, Jerome Athias
Next by Thread:  [Full-disclosure] rPSA-2006-0174-1 gnome-ssh-askpass openssh openssh-client openssh-server, rPath Update Announcements
Indexes:  [Date] [Thread] [Top] [All Lists]