[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <00a301c33665$76230830$050010ac@rootserver>
From: novappc at novappc.com (Lorenzo Hernandez Garcia-Hierro)
Subject: pMachine Cross Site Scripting in Search module and Path Disclosures
--------------------
Product: pMachine
Vendor: pMachine <www.pmachine.com>
Versions:
VULNERABLE
- 2.2.x
- 2.1.x
- 2.0.x
- 1.x
NOT VULNERABLE
- ?
---------------------
Description:
pMachine is an online publishing solution for editors , it is a weblog
engine developed in PHP with MySQL back-end.
It manages entries , articles , hit-counters , quizzes,surveys and it has a
very easy to modify look and feel.
-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------
I encountered few security holes related with path disclosures and Cross
Site Scripting vulnerabilities in Search module.
---------------------------
| PATH DISCLOSURES |
---------------------------
There are some path disclosures in some files of pMachine , with this you
can get the real (local) installation path of
the pMachine scripts.
Proof of Concepts:
http://[TARGET]/[pMachine PATH]/index.php?sfx=./nothing
http://[TARGET]/[pMachine PATH]/inc.lib.php?sfx=./nothing
http://[TARGET]/[pMachine PATH]/inc.cp.php?sfx=./nothing
http://[TARGET]/[pMachine PATH]/lib/weblog.add.php <-- access directly
http://[TARGET]/[pMachine PATH]/lib/comment.add.php <-- access directly
Possible other files using this variable (sfx) are vulnerable.
---------------------------
| CROSS SITE SCRIPTING |
---------------------------
There are some security holes in the Search module that it's located in
/search/ directory.
You can inject HTML code and Script Code in the query of the Search , this
code will be executed in the user side.
Proof of Concepts:
http://[TARGET]/[pMachine Public Path]/search/index.php?weblog=[THE
WEBLOG]&keywords=[XSS ATTACK CODE]
-----------
| CONTACT |
-----------
Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
security.novappc.com
Are you totally secured ?
______________________
Powered by blists - more mailing lists