Fresh Email Script 1.0 Multiple Remote Vulnerabilities

2009-08-26 / 2009-08-27
Credit: Don
Risk: High
Local: No
Remote: Yes
CWE: CWE-94
CWE-79

1. +-----------------+-----------------+-----------------+ 2. +-----------------+Fresh Email Script+----------------+ 3. +-----------------versions: 1.0 to 1.11 - all 4. +-----------------exploits: file inclusion & cookie manipulation 5. +-----------------founder: Don 6. +-----------------date: November 10. 2008 7. +-----------------+-----------------+-----------------+ 8. +homepage: http://www.freshscripts.net/index.php?do=catalog&c=featured_scripts_!&i=fresh_email_script 9. +vendor notified ? / no 10. +-----------------+-----------------+-----------------+ 11. +[1] 12. +file inclusion+ 13. +found in /url.php?tmp_sid= 14. +so like site[dot]com/url.php?tmp_sid=[] 15. +attack description: 16. +The GET variable tmp_sid has been set to http://site[dot]com/some_inexistent_file_with_long_name. 17. +It is possible for a remote attacker to include a file from local or remote resources and 18. +or execute arbitrary script code with the privileges of the web server. 19. +-----------------+-----------------+-----------------+ 20. +[2] 21. +cookie manipulation+ 22. +found in register.php 23. +By injecting a custom HTTP header or by injecting a META tag, 24. +it is possible to alter the cookies stored in the browser. 25. +Attackers will normally manipulate cookie values to fraudulently authenticate themselves on a web site. 26. +By exploiting this vulnerability, an attacker may conduct a session fixation attack. 27. +In a session fixation attack, the attacker fixes the user's session ID before the user even logs into the target server, 28. +thereby eliminating the need to obtain the user's session ID afterwards. 29. +-----------------+-----------------+-----------------+ 30. +vuln: 31. +Email=<meta+http-equiv='Set-cookie'+content='cookiename=cookievalue'>&Password=1230321email@address.com&register=Register 32. +-----------------+-----------------+-----------------+ 33. +How to fix this vulnerability+ 34. + 35. +You need to filter the output in order to prevent the injection of custom HTTP headers or META tags. 36. +Additionally, with each login the application should provide a new session ID to the user. 37. +-----------------+-----------------+-----------------+ 38. +greetz to all of my friends 39. +special greetz to milw0rm as well as str0ke!+ 40. + 41. + 42. +~#Don 2008 43. +Serbian security analyzer 44. +-----------------+-----------------+-----------------+

References:

http://xforce.iss.net/xforce/xfdb/46529
http://www.vupen.com/english/advisories/2008/3096
http://www.securityfocus.com/bid/32241
http://www.milw0rm.com/exploits/7080
http://secunia.com/advisories/32642
http://osvdb.org/49849


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top