lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 16 Oct 2004 19:18:47 +0000
From: R00tCr4ck <root@...erspy.org>
To: bugtraq@...urityfocus.com, vuln@...unia.com, bugs@...uritytracker.com,
   vulnwatch@...nwatch.org
Subject: Multiple Vulnerabilities in CoolPHP


#####################################
# CHT Security Research Center-2004 #
# http://www.CyberSpy.Org           #
# Turkey                            #
#####################################

Software:
CoolPHP

Web Site:
http://cphp.sourceforge.net/

Affected Version(s):
1.0-stable

Description:
CoolPHP is a PHP based portal system.It requires A Web server with PHP>=PHP4
support and MySQL.
It's compatible with *NIX and NT.

Multiple Vulnerabilities in CoolPHP:

Cross-Site Scripting vulnerability:
CoolPHP is vulnerable to cross-site scripting attacks.
It is possible to construct a link containing arbitrary script code to a website
running CoolPHP.
When a user browses the link, the script code will be executed on the user's
browser.
This vulnerability occurs due to insufficient inspection of some user-supplied
input.
As a result of this deficiency an attacker may exploit the vulnerability by
creating a specially crafted URL that includes malicious HTML code as URI
parameters for index.php

Examples:

http://[victim]/index.php?op=buscar&query=<script
language=javascript>window.alert(document.cookie);</script>
http://[victim]/index.php?op=buscar&query=%3Cscript%20language=javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E
http://[victim]/index.php?op=userinfo&nick=<script
language=javascript>window.alert(document.cookie);</script>


Path Disclosure Vulnerability:
CoolPHP is prone to a path disclosure vulnerability.
Passing invalid value for the 'op' URI parameter to the index.php file
will cause an error message to be displayed which contains physical path
information.
This information could be useful in further attacks against the system.

Demonstration:

http://[victim]/cphp/index.php?op=invparam


Local file include Vulnerability with Directory Traversal :
CoolPHP does not filter dot dot slash (../) sequences from web requests.
This problem may allow an attacker to access known files outside the server root
directory
and will permit a local attack to include malicious PHP scripts from another
local paths.

Examples:

http://[victim]/index.php?op=../../../../anotheruser/evilfile
or as URL encoded format:
http://[victim]/index.php?op=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fanotheruser/evilfile

----
Reported By R00tCr4ck at October,16 2004
root(at)CyberSpy.Org
Original Article can be found at:
http://www.CyberSpy.Org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ