Aardvark Topsites XSS

2009-07-07 / 2009-07-08
Credit: JP
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79

Hi, Here's the vulnerabilities descriptions and POCs: ################################# I write to report three vulnerabilities that I found in the last version of Aardvark Topsites PHP(5.2.1) and older versions. The cause of all of them is the incorrect verification of input parameters. Here are the vulnerabilities: ================== HTML Injection (up to 5.2.0) -------------------------- For example, is possible to inject a link to any URL with any anchor text. POC: /index.php?a=search&q=psstt+security?><a+href%3Dhttp%3A%2F%2Fwebsec.id3a s.com>Web-Application-Security Information Disclosure 1 (up to 5.2.1) -------------------------- Disclosure of full path of the application sources when you put a negative number at the ?start? parameter. POC: /index.php?a=search&q=psstt&start=-4 Information Disclosure 2 (up to 5.2.0) -------------------------- Disclosure of full path of the application sources and some source code too when you put an non-existent user at ?u? parameter. POC: /index.php?a=rate&u=nonexistentuser ================== I created a page with the details and possible updates at: http://websec.id3as.com/aardvark-topsites-php-521-security-vulnerabiliti es-disclosure/ Feel free to ask me any question about this to properly report this vulnerabilities. Google Dork: "Powered by Aardvark Topsites PHP 5.2.0" (or 5.2.1 for the last version) ################################# Thanks, Jos Pablo Gonzlez / J07AP3

References:

http://xforce.iss.net/xforce/xfdb/51391
http://www.securityfocus.com/bid/35506
http://www.securityfocus.com/archive/1/archive/1/504574/100/0/threaded
http://websec.id3as.com/aardvark-topsites-php-521-security-vulnerabilities-disclosure/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top