Bug: Aardvark Topsites XSS ( Ascii Version )

Search:
WLB2

Aardvark Topsites XSS

Published
Credit
Risk
2009.07.08
JP
Low
CWE
CVE
Local
Remote
CWE-79
CVE-2009-2302
CVE-2009-2303
CVE-2009-2304
No
Yes
 Dork: "Powered by Aardvark Topsites PHP 5.2.0"

Hi,

Here's the vulnerabilities descriptions and POCs:
#################################

I write to report three vulnerabilities that I found in the last version
of Aardvark Topsites PHP(5.2.1) and older versions.

The cause of all of them is the incorrect verification of input parameters.

Here are the vulnerabilities:
==================

HTML Injection (up to 5.2.0)
--------------------------

For example, is possible to inject a link to any URL with any anchor text.

POC:
/index.php?a=search&q=psstt+security?><a+href%3Dhttp%3A%2F%2Fwebsec.id3a
s.com>Web-Application-Security

Information Disclosure 1 (up to 5.2.1)
--------------------------

Disclosure of full path of the application sources when you put a
negative number at the ?start? parameter.

POC: /index.php?a=search&q=psstt&start=-4

Information Disclosure 2 (up to 5.2.0)
--------------------------

Disclosure of full path of the application sources and some source code
too when you put an non-existent user at ?u? parameter.

POC: /index.php?a=rate&u=nonexistentuser
==================

I created a page with the details and possible updates at:
http://websec.id3as.com/aardvark-topsites-php-521-security-vulnerabiliti
es-disclosure/

Feel free to ask me any question about this to properly report this vulnerabilities.

Google Dork: "Powered by Aardvark Topsites PHP 5.2.0"
(or 5.2.1 for the last version)

#################################

Thanks,
José Pablo González / J07AP3

References:

http://xforce.iss.net/xforce/xfdb/51391
http://www.securityfocus.com/bid/35506
http://www.securityfocus.com/archive/1/archive/1/504574/100/0/threaded
http://websec.id3as.com/aardvark-topsites-php-521-security-vulnerabilities-disclosure/

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version