=========================================
Vulnerable Software: Incomedia WebSite X5 Evolution <= 9.0.4.1748 (All versions)
Vendor: www.websitex5.com
Vulns: XSS && Auth Bypass
Software License: Commercial
Dork 1: inurl:imsearch.php
Dork 2: intitle:WebSite X5 Manager inurl:/admin/header.php
=========================================
About Software:
==========================================
WebSite X5 Evolution 9 is the most versatile and complete solution you'll find
for creating eye-catching, functional and professional websites, blogs and
online stores.
You'll be surprised at how easy WebSite X5 Evolution 9 is to use, but what is
perhaps most amazing is the sheer power and totality of the features it offers.
http://www.websitex5.com/en/evolution-9.html
*Nice Software and easy to use.*
==========================================
About Vulnerabilities:
[*] XSS: [*]
site.tld/imsearch.php?search="\><script>alert(1);</script>
Fix:
Open imsearch.php and find:
=============VULNERABLE CODE==============
<?php
$search = new imSearch();
$search->search(@$_GET['search'], @$_GET['page']);
?>
==========END OF VULNERABLE CODE==========
REPLACE WITH:
==============FIXED CODE====================
<?php
$search = new imSearch();
$search->search(@htmlspecialchars($_GET['search']), htmlspecialchars(@$_GET['page']));
?>
===========END OF FIXED CODE================
[*] Second vulnerability is Authentication Bypass. [*]
Vulnerable code: site.tld/admin/checkaccess.php
========= BEGIN VULNERABLE CODE ===========
<?php
require_once("../res/x5engine.php");
$login = new imPrivateArea();
if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0) {
if (basename($_SERVER['HTTP_REFERER']) == "login.php")
header("Location: login.php?error");
else
header("Location: login.php");
}
else
$logged = TRUE;
// End of file checkaccess.php
==========END OF VULNERABLE CODE==========
Notice flaw: Script continues execution.
For reproduce:
===============================================
Using Fiddler intercept the traffic from your browser and you will get output from scripts execution.
Print screen:
http://oi47.tinypic.com/f21sf7.jpg
==================== RAW=======================
HTTP/1.1 302 Found
Date: Sun, 25 Nov 2012 01:13:19 GMT
Server: Apache
Set-Cookie: ASPX=pfsnkn5ccps9u15pa0r4of6lodesg6lq; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: login.php
Content-Length: 1188
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Language" content="it" />
<meta http-equiv="Content-Type-Script" content="text/javascript" />
<meta http-equiv="ImageToolbar" content="False" />
<meta name="MSSmartTagsPreventParsing" content="True" />
<script type="text/javascript" src="../res/jquery.js"></script>
<script type="text/javascript" src="../res/x5engine.js"></script>
<link rel="stylesheet" type="text/css" href="template.css" media="screen" />
<title>WebSite X5 Manager</title>
</head>
<body>
<div id="imAdminPage">
<div id="imBody">
<div class="imSectionTitle"></div>
<div class="imContent">
<div class="imTest pass">Версия PHP: 5.2.17<span>PASS</span></div>
<div class="imTest pass">Поддержка сессии<span>PASS</span></div>
<div class="imTest pass">Путь к публичной папке на сервере<span>PASS</span></div>
</div>
</div>
</div>
</body>
===============EOF RAW==================
If your checkaccess.php isn't patched every file on /admin/*.php is vulnerable.
Fixed Code:
site.tld/admin/checkaccess.php
==============BEGIN =FIXED CODE=================
<?php
require_once("../res/x5engine.php");
$login = new imPrivateArea();
if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0)
{
if (basename($_SERVER['HTTP_REFERER']) == "login.php")
{
header("Location: login.php?error");
exit;
}
else
{
header("Location: login.php");
exit;
}
}
else
{
$logged = TRUE;
}
// End of file checkaccess.php
===============END OF FIXED CODE================
**Vendor notified about this advisory.**
================================================
SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
osvdb.com
websecurity.com.ua
to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers
Also special thanks to: ottoman38 & HERO_AZE
================================================
/AkaStep