lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 14 Sep 2005 10:32:41 -0700 (PDT)
From: alireza hassani <trueend5@...oo.com>
To: bugtraq@...urityfocus.com
Subject: SQL injection & XSS in phpoutsourcing Noah's classifieds


Software: phpoutsourcing Noah's classifieds
Vendor: http://classifieds.phpoutsourcing.com/
Version: all versions
Bug: SQL injection & XSS 
Exploitation: Remote with browser
-------------------------------------------------------------------------------------
Introduction:
 Noah' Classifieds is a general purpose application
that allows you to set up as many ad categories as you
want specifying custom fields for each of them.

vulnerability:

Several scripts do not properly validate user-supplied
input. A remote user can create specially crafted
parameter values that will execute SQL commands on the
underlying database.A remote user can create a
specially crafted URL that, when loaded by a target
user, will cause arbitrary scripting code to be
executed by the target user's browser. As a result,
the code will be able to access the target user's
cookies. 
IN this cases, The rollid parameter is vulnerable.
-----------------------------
SQL Injection:
Demonstration exploit URL
http://localhost/classifieds/index.php?methode=showdetails&list=Advertisment&rollid=4'
The vulnerability is easy to exploit for example
"Search" & "forgotten password" pages might be used to
explot with simple ' (%27)
-All versions are vulnerable-
-------------------------------
XSS:
Demonstration exploit URL
http://localhost/classifieds/index.php?methode=showdetails&list=Advertisment&rollid=4'<script>alert(document.cookie)</script>
Username and hashed password set by cookie so Customer
cookies may be compromised. The attacker may be able
to pose as a legitimate user to view and alter user
records, and perform transactions as that user.
-Just tested on classified 1.3 (the last release)-
-------------------------------
Solution: 
There is not any vendor-supplied patch at this time.
-------------------------------
Credits:
Discovered & released by trueend5
[ Security Researchers Institute Of Iran <KAPDA.ir> in
association with iraNNetjob.com]

Original advisory: http://www.irannetjob.com/index.php?option=com_content&task=view&id=122&Itemid=28

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ