SecurityReason.com - Our Reason is

Security

Register | Forget Password | Login
SecurityReason
WLB
Services
RSS
Corporate
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com

Home arrow SecurityAlert Database

Arrow  Topic :

JAF CMS 4.0 RC1 multiple vulnerabilities


Arrow  SecurityAlert : 1674
Arrow  CVE : CVE-2006-5131
Arrow  CVE : CVE-2006-5129
Arrow  SecurityRisk : High  Security Risk High  (About)
Arrow  Remote Exploit : Yes
Arrow  Local Exploit : No
Arrow  Exploit Available : Yes
Arrow  Credit : NanoyMaster
Arrow  Published : 03.10.2006

Arrow  Affected Software : JAF CMS 4.0 RC1



Arrow  Advisory Content :  

########################################################################
##########

## ## _ _ _ _
##

## Hacker: NanoyMaster ## /|| | || / ||
##

## Exploit: JAF CMS ## / || |\| || / ||
##

## Version: 4.0 RC1 ## || | || |/| || /
##

## ## ||_| _||_| |_||/
##

########################################################################
##########

## vulnerabilities: XSS in shoutbox
##

## PHP execution
##

## XSS in forum
##

##
##

########################################################################
##########

## m/___Props___m/
##

## z3r0phr34k
##

## System_Meltdown
##

## THK-GEO & THK-h3x
##

## All of Exploitarians
##

########################################################################
##########

//----------------------------------------------------------------------
--------//

// XSS in shoutbox
//

//----------------------------------------------------------------------
--------//

Self explanitory... in the message body put: <script>alert('hi')</script>

Error: module/shout/jafshout.php

Line: 168 - 202

187 - 191 {

$message = preg_replace('/"/','',$_POST['message']);

$message = preg_replace("/>/",">",$_POST['message']);

$message = preg_replace("/</","<",$_POST['message']);

$message = str_replace("onmouse","",$_POST['message']);

$message = str_replace("//","edited",$_POST['message']);

}

change the relevent lines to look like the following, bar the first
$_POST['message'].

187 - 191 {

$message = preg_replace('/"/','',$message);

$message = preg_replace("/>/",">",$message);

$message = preg_replace("/</","<",$message);

$message = str_replace("onmouse","",$message);

$message = str_replace("//","edited",$message);

}

etc etc.

*note*

This should be implemented on all of the variables stored to the flat-file

module/files/shout

*end note*

//----------------------------------------------------------------------
--------//

// PHP execution
//

//----------------------------------------------------------------------
--------//

Yet again in the shoutbox type something like:

Windoze) <?php system(dir); ?>

Linux) <?php system(ls -la); ?>

you could see how usefull this could be ;) possably overwright
admin/data_inc.php

(where the admin's password hash is) :p

Error: module/shout/jafshout.php

Line: 168 - 202

Patch: (see above code)

//----------------------------------------------------------------------
--------//

// XSS in forum
//

//----------------------------------------------------------------------
--------//

Self explanitory... in the message body put: <script>alert('hi')</script>

Error: module/forum/topicwin.php

Line: 112- 123

112 - 117 {

$n_topic["name"]=$name;

$n_topic["email"]=$email;

$n_topic["title"]=$title;

$n_topic["date"]=$date;

$n_topic["ldate"]=$date;

$n_topic["lname"]=$name;

}

change the relevent lines to look like the following.

112 - 117 {

$n_topic["name"]=htmlentities($name, ENT_QUOTES);

$n_topic["email"]=htmlentities($email, ENT_QUOTES);

$n_topic["title"]=htmlentities($title, ENT_QUOTES);

$n_topic["date"]=htmlentities($date, ENT_QUOTES);

$n_topic["ldate"]=htmlentities($date, ENT_QUOTES);

$n_topic["lname"]=htmlentities($name, ENT_QUOTES);

}

etc etc.

//----------------------------------------------------------------------
--------//

// End
//

//----------------------------------------------------------------------
--------//





Arrow  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

libc:fts_*() Multiple Denial of Service

Security Risk Medium- 2009-10-02

The fts functions are provided for traversing UNIX file hierarchies...

Apache RSS Apache Alert

» Apache 1.3.41 mod_proxy
   Integer overflow (code
   execution)

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion in work
   directory

» Apache Tomcat 6.0.20 and
   5.5.28 insecure partial
   deploy after failed
   undeploy

» Apache Tomcat 6.0.20 and
   5.5.28 unexpected file
   deletion and/or
   alteration

PHP RSS PHP Alert

» PHP 5.2.12/5.3.1 Multiple
   Vulnerabilities

» PHP 5.2.11 libgd multiple
   vulnerabilities

» PHP 5.2.11 tempnam()
   safe_mode bypass

» PHP 5.3.0 5.2.11
   posix_mkfifo()
   open_basedir bypass

Copyright © SecurityReason.com. All Rights Reserved.