[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050730150950.25424.qmail@securityfocus.com>
Date: 30 Jul 2005 15:09:50 -0000
From: rat@...ocmaffia.com
To: bugtraq@...urityfocus.com
Subject: PC-EXPERIENCE/TOPPE CMS Security Advisory
# PC-EXPERIENCE/TOPPE CMS Security Advisory
# By : Morinex
# E-Mail : rat@...ocmaffia.com
# Date : 30-07-2K5 ( so lazzy this summer )
# Shoutz : Woopie , sirh0t , 00pz , V1su4l and the gayīs of 0x1fe. I hate them so much isnt Falesco ? 0x1fe.com :)
Vulnerabilities
* User-ID Bypassing ( remote )
* Cross Site Scripting ( local )
We have founded a USER-ID disclosure and a XXS vuln. on the PM. I dont have time
to tell the full story about PCXP/TOPPE CMS so letīs tell a brief history about this CMS.
The CMS was coded by Alex of PCXP and after that he made it public for everyone.
Later there was a guy named Toppe who modded the source and recoded the admin. Dunno if its true but i heard a lot about this gay on wmcīs but anyway lets take a look on the vulnīs.
Download the PC-XP source V2 on : http://members.lycos.nl/toppecms/pcexpv2.rar ( "Modded" )
Download the PC-XP source V1.15 on : http://members.lycos.nl/toppecms/pcxv1.15.zip
# USER-ID BYPASSING ( remote )
Letīs start directly . We are gonna get acces on every user-id i want on a PC-XP/TOPPE cms.
Letīs visit one target. wmhulp dot nl , hmmz now we are gonna check the cookie of wmhulp.
C:\Documents and Settings\Morinex\Cookies , and i found this cookie on it :
wmhulp.nl FALSE / FALSE 1144851286 hash 81859
wmhulp.nl FALSE / FALSE 1144851286 id 48
wmhulp.nl FALSE / FALSE 1144851286 wachtwoord 098f6bcd4621d373cade4e832627b4f6
as we see i am user ID 48 (registered before ) and my password is 098f6bcd4621d373cade4e832627b4f6 (md5) .
If u cat login.php and scroll down u will see this "if($assoc['userid'] == $_COOKIE['id'] AND $actie == bekijk){ "
If u have a litle php exp u will see that $actie only is checking if the userid and cookie are the same. So its easy to exploit
just edit 48 with ure own ID number . U can see ure ID number on the members list ( ledenlijst.php ) .
After that we save the cookie and visit the page i am logged in with the userid i want. We have now full acces on PCXP/TOPPE CMS.
Take a look on the admin page ;> or kind of that.
# Cross Site Scripting Vuln. ( local )
This one is located on the pm page. ( pm.php )
Javascript is enabled so we can easy steal cookieīs. Im not here to explain how but as u see
we can run javascript on it so its vuln for XSS attackīs. Just enter this on the $msg
<script>alert(document.cookie)</script> and he will see a alert.
# Solution
There is no solution at the moment and there will not come one.
PX-XP is stopped a long long time ago and TOPPE is not happy when we are spreading the CMS to the public.
The only solution for this one is stopping using this CMS and take a look on PHPNUKE, MAMBO etc. ffs he is self
using now Mambo CMS on his mainpage ( toppedotnl )
Powered by blists - more mailing lists