More Critical Vulnerabilities In PHP Topsites

From: JeiAr (jeiarat_private)
Date: Tue Jan 21 2003 - 09:00:53 PST

Next message: Martin Schulze: "[SECURITY] [DSA 234-1] New kdeadmin packages fix several vulnerabilities"

Previous message: Jeremiah Grossman: "[VulnWatch] TRACE used to increase the dangerous of XSS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Version: All Script: edit.php vendor: itop10.net Type: Code Injection/Execution Vulnerability --------------------------------------------------------------------------- Another critical vulnerability has been found by the CyberArmy Security Research Team that effects php topsites. Basically, it is a different script vulnerable to the same attack as the previously released add.php vuln. A user cannot submit a site with invalid metacharacters if a php topsites owner or admin has applied the patch, or written an ereg himself or used the htmlspecialchars() function etc. However once accepted a malicious user can edit thier site description and then submit the site for revalidation. Upon viewing the site submitted for revalidation, any code injected into the description field (or other fields) will be run by the admin unknowingly. Version: All Script: edit.php vendor: itop10.net Type: SQL Injection/User Account Disclosure Vulnerability --------------------------------------------------------------------------- PHP Topsites has a very poor authentication system, thus by adding the variable auth=1 and terminating the SQL query with the -- characters an attacker can gain access to any user account he/she has an account number for. You can TRY to quickly patch this by specifying a refferer and method type, but it's advised to just get another topsites script since there is no real fix for this that would be very secure. Below is an example of how an attacker can disclose user account info via a malformed url. This works even if the previous fix to edit.php was applied. http://somewebsite.com/topsitesdir/edit.php? a=pre&submit=&auth=1&sid=thesiteidnumgoeshere-- The writer of the scripts located at http://www.itop10.net really doesn't seem to care about keeping his users safe, as he has not issued a warning to potential customers as well as existing customers. Nor has he quit selling the buggy scripts for 60$ US a pop. I am no lawyer, but isn't this somewhat illegal? Negligance maybe? Ah well, you guys decide, Im sure someone out there is a lawyer. Cheers :) JeiAr All credit goes to The CyberArmy Security Research ACAT Team http://www.security-research.org http://www.gulftech.org

Next message: Martin Schulze: "[SECURITY] [DSA 234-1] New kdeadmin packages fix several vulnerabilities"
Previous message: Jeremiah Grossman: "[VulnWatch] TRACE used to increase the dangerous of XSS."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 14:13:28 PST