('binary' encoding is not supported, stored as-is) [INTRO] Some of you may be familiar with Pafiledb provided by PHP arena. Well they just released a new version that fixed a problem with their counting of files. Along with that they said they fixed a possible security bug involving using Javascript as a search string. I checked it on my old version and it is infact there, so I updated to the new version so the bugs can be fixed and I checked it and it no longer works. I figured where there is one there are bound to be others so I went searching. [Discovery] I discoverd that there are three other XSS vulnerabilities within the software wich can be performed by editing the URL of three different sections. AFFECTED: * Rate File * Email to Friend * Download UNAFFECTED: * Stats [Exploit] http://ersatz.n3t.net/downloads/pafiledb.php?action=rate&id=4?"<script>alert('Testing')</script>" http://ersatz.n3t.net/downloads/pafiledb.php?action=email&id=4?"<script>alert('Testing')</script>" http://ersatz.n3t.net/downloads/pafiledb.php?action=download&id=4?"<script>alert('Testing')</script>" I discovered this by clicking at first the link to email to a friend and then removed everything out of the URL after &id=4 and added ?<script>alert('Testing')</script>" and just as i expected it worked. I moved on to email to a friend the same way and it worked and then I proceded to make the change action=download&id=4?"<script>alert('Testing')</script>" and again it worked. I then decided to check stats and to my surprise there it did not work. [END] I have not contacted php arena as of yet but i am about to, hopefully since they fixed it in the search feild all they should have to do is release the code or apply it themselves and then come out with an update. Wich shouldnt take long. I hope Another XSS vulnerability provided by ersatz ersatzat_private http://ersatz.n3t.net :: A nice place to chill out and learn something new
This archive was generated by hypermail 2b30 : Mon Oct 21 2002 - 10:26:16 PDT