lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <00a301c33665$76230830$050010ac@rootserver>
From: novappc at novappc.com (Lorenzo Hernandez Garcia-Hierro)
Subject: pMachine Cross Site Scripting in Search module and Path Disclosures

--------------------
Product: pMachine
Vendor: pMachine <www.pmachine.com>
Versions:
         VULNERABLE

         - 2.2.x
         - 2.1.x
         - 2.0.x
         - 1.x

         NOT VULNERABLE

         - ?
---------------------

Description:

pMachine is an online publishing solution for editors , it is a weblog
engine developed in PHP with MySQL back-end.
It manages entries , articles , hit-counters , quizzes,surveys and it has a
very easy to modify look and feel.

-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------

I encountered few security holes related with path disclosures  and Cross
Site Scripting vulnerabilities in Search module.

---------------------------
|    PATH DISCLOSURES     |
---------------------------

There are some path disclosures in some files of pMachine , with this you
can get the real (local) installation path of
the pMachine scripts.

Proof of Concepts:

http://[TARGET]/[pMachine PATH]/index.php?sfx=./nothing
http://[TARGET]/[pMachine PATH]/inc.lib.php?sfx=./nothing
http://[TARGET]/[pMachine PATH]/inc.cp.php?sfx=./nothing
http://[TARGET]/[pMachine PATH]/lib/weblog.add.php <-- access directly
http://[TARGET]/[pMachine PATH]/lib/comment.add.php <-- access directly

Possible other files using this variable (sfx) are vulnerable.

---------------------------
|  CROSS SITE SCRIPTING   |
---------------------------

There are some security holes in the Search module that it's located in
/search/ directory.
You can inject HTML code and Script Code in the query of the Search , this
code will be executed in the user side.

Proof of Concepts:

http://[TARGET]/[pMachine Public Path]/search/index.php?weblog=[THE
WEBLOG]&keywords=[XSS ATTACK CODE]

-----------
| CONTACT |
-----------

Lorenzo Hernandez Garcia-Hierro
 --- Computer Security Analyzer ---
 --Nova Projects Professional Coding--
 PGP: Keyfingerprint
 B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2
 ID: 0x9C38E1D7
 **********************************
  security.novappc.com
 Are you totally secured ?
 ______________________



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ