Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security VulnWatch
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[VulnWatch] Multiple Vulnerabilities in CoolPHP

from [R00tCr4ck] Network Security [Permanent Link]
Subject: [VulnWatch] Multiple Vulnerabilities in CoolPHP
Date: Sat, 16 Oct 2004 19:18:47 +0000 
#####################################
# CHT Security Research Center-2004 #
# http://www.CyberSpy.Org           #
# Turkey                            #
#####################################

Software:
CoolPHP

Web Site:
http://cphp.sourceforge.net/

Affected Version(s):
1.0-stable

Description:
CoolPHP is a PHP based portal system.It requires A Web server with PHP>=PHP4
support and MySQL.
It's compatible with *NIX and NT.

Multiple Vulnerabilities in CoolPHP:

Cross-Site Scripting vulnerability:
CoolPHP is vulnerable to cross-site scripting attacks.
It is possible to construct a link containing arbitrary script code to a website
running CoolPHP.
When a user browses the link, the script code will be executed on the user's
browser.
This vulnerability occurs due to insufficient inspection of some user-supplied
input.
As a result of this deficiency an attacker may exploit the vulnerability by
creating a specially crafted URL that includes malicious HTML code as URI
parameters for index.php

Examples:

http://[victim]/index.php?op=buscar&query=<script
language=javascript>window.alert(document.cookie);</script>
http://[victim]/index.php?op=buscar&query=%3Cscript%20language=javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E
http://[victim]/index.php?op=userinfo&nick=<script
language=javascript>window.alert(document.cookie);</script>


Path Disclosure Vulnerability:
CoolPHP is prone to a path disclosure vulnerability.
Passing invalid value for the 'op' URI parameter to the index.php file
will cause an error message to be displayed which contains physical path
information.
This information could be useful in further attacks against the system.

Demonstration:

http://[victim]/cphp/index.php?op=invparam


Local file include Vulnerability with Directory Traversal :
CoolPHP does not filter dot dot slash (../) sequences from web requests.
This problem may allow an attacker to access known files outside the server root
directory
and will permit a local attack to include malicious PHP scripts from another
local paths.

Examples:

http://[victim]/index.php?op=../../../../anotheruser/evilfile
or as URL encoded format:
http://[victim]/index.php?op=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fanotheruser/evilfile

----
Reported By R00tCr4ck at October,16 2004
root(at)CyberSpy.Org
Original Article can be found at:
http://www.CyberSpy.Org
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [VulnWatch] Multiple Vulnerabilities in CoolPHP, R00tCr4ck <=
Previous by Date:  Re: [VulnWatch] CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities, wirepair
Next by Date:  [Full-Disclosure] Web browsers - a mini-farce, Michal Zalewski
Previous by Thread:  Re: [VulnWatch] CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities, wirepair
Next by Thread:  [Full-Disclosure] Web browsers - a mini-farce, Michal Zalewski
Indexes:  [Date] [Thread] [Top] [All Lists]