JAF CMS 4.0 RC1 multiple vulnerabilities

Advisory Content :

########################################################################
##########

## ## _ _ _ _
##

## Hacker: NanoyMaster ## /|| | || / ||
##

## Exploit: JAF CMS ## / || |\| || / ||
##

## Version: 4.0 RC1 ## || | || |/| || /
##

## ## ||_| _||_| |_||/
##

########################################################################
##########

## vulnerabilities: XSS in shoutbox
##

## PHP execution
##

## XSS in forum
##

##
##

########################################################################
##########

## m/___Props___m/
##

## z3r0phr34k
##

## System_Meltdown
##

## THK-GEO & THK-h3x
##

## All of Exploitarians
##

########################################################################
##########

//----------------------------------------------------------------------
--------//

// XSS in shoutbox
//

//----------------------------------------------------------------------
--------//

Self explanitory... in the message body put: <script>alert('hi')</script>

Error: module/shout/jafshout.php

Line: 168 - 202

187 - 191 {

$message = preg_replace('/"/','',$_POST['message']);

$message = preg_replace("/>/",">",$_POST['message']);

$message = preg_replace("/</","<",$_POST['message']);

$message = str_replace("onmouse","",$_POST['message']);

$message = str_replace("//","edited",$_POST['message']);

}

change the relevent lines to look like the following, bar the first
$_POST['message'].

187 - 191 {

$message = preg_replace('/"/','',$message);

$message = preg_replace("/>/",">",$message);

$message = preg_replace("/</","<",$message);

$message = str_replace("onmouse","",$message);

$message = str_replace("//","edited",$message);

}

etc etc.

*note*

This should be implemented on all of the variables stored to the flat-file

module/files/shout

*end note*

//----------------------------------------------------------------------
--------//

// PHP execution
//

//----------------------------------------------------------------------
--------//

Yet again in the shoutbox type something like:

Windoze) <?php system(dir); ?>

Linux) <?php system(ls -la); ?>

you could see how usefull this could be ;) possably overwright
admin/data_inc.php

(where the admin's password hash is) :p

Error: module/shout/jafshout.php

Line: 168 - 202

Patch: (see above code)

//----------------------------------------------------------------------
--------//

// XSS in forum
//

//----------------------------------------------------------------------
--------//

Self explanitory... in the message body put: <script>alert('hi')</script>

Error: module/forum/topicwin.php

Line: 112- 123

112 - 117 {

$n_topic["name"]=$name;

$n_topic["email"]=$email;

$n_topic["title"]=$title;

$n_topic["date"]=$date;

$n_topic["ldate"]=$date;

$n_topic["lname"]=$name;

}

change the relevent lines to look like the following.

112 - 117 {

$n_topic["name"]=htmlentities($name, ENT_QUOTES);

$n_topic["email"]=htmlentities($email, ENT_QUOTES);

$n_topic["title"]=htmlentities($title, ENT_QUOTES);

$n_topic["date"]=htmlentities($date, ENT_QUOTES);

$n_topic["ldate"]=htmlentities($date, ENT_QUOTES);

$n_topic["lname"]=htmlentities($name, ENT_QUOTES);

}

etc etc.

//----------------------------------------------------------------------
--------//

// End
//

//----------------------------------------------------------------------
--------//

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

JAF CMS 4.0 RC1 multiple vulnerabilities