Vulners
Lucene search
Incomedia WebSite X5 Evolution 9.0.4.1748 XSS / Bypass
`=========================================
Vulnerable Software: Incomedia WebSite X5 Evolution <= 9.0.4.1748 (All versions)
Vendor: www.websitex5.com
Vulns: XSS && Auth Bypass
Software License: Commercial
Dork 1: inurl:imsearch.php
Dork 2: intitle:WebSite X5 Manager inurl:/admin/header.php
=========================================
About Software:
==========================================
WebSite X5 Evolution 9 is the most versatile and complete solution you'll find
for creating eye-catching, functional and professional websites, blogs and
online stores.
You'll be surprised at how easy WebSite X5 Evolution 9 is to use, but what is
perhaps most amazing is the sheer power and totality of the features it offers.
http://www.websitex5.com/en/evolution-9.html
*Nice Software and easy to use.*
==========================================
About Vulnerabilities:
[*] XSS: [*]
site.tld/imsearch.php?search="\><script>alert(1);</script>
Fix:
Open imsearch.php and find:
=============VULNERABLE CODE==============
<?php
$search = new imSearch();
$search->search(@$_GET['search'], @$_GET['page']);
?>
==========END OF VULNERABLE CODE==========
REPLACE WITH:
==============FIXED CODE====================
<?php
$search = new imSearch();
$search->search(@htmlspecialchars($_GET['search']), htmlspecialchars(@$_GET['page']));
?>
===========END OF FIXED CODE================
[*] Second vulnerability is Authentication Bypass. [*]
Vulnerable code: site.tld/admin/checkaccess.php
========= BEGIN VULNERABLE CODE ===========
<?php
require_once("../res/x5engine.php");
$login = new imPrivateArea();
if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0) {
if (basename($_SERVER['HTTP_REFERER']) == "login.php")
header("Location: login.php?error");
else
header("Location: login.php");
}
else
$logged = TRUE;
// End of file checkaccess.php
==========END OF VULNERABLE CODE==========
Notice flaw: Script continues execution.
For reproduce:
===============================================
Using Fiddler intercept the traffic from your browser and you will get output from scripts execution.
Print screen:
http://oi47.tinypic.com/f21sf7.jpg
==================== RAW=======================
HTTP/1.1 302 Found
Date: Sun, 25 Nov 2012 01:13:19 GMT
Server: Apache
Set-Cookie: ASPX=pfsnkn5ccps9u15pa0r4of6lodesg6lq; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: login.php
Content-Length: 1188
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Language" content="it" />
<meta http-equiv="Content-Type-Script" content="text/javascript" />
<meta http-equiv="ImageToolbar" content="False" />
<meta name="MSSmartTagsPreventParsing" content="True" />
<script type="text/javascript" src="../res/jquery.js"></script>
<script type="text/javascript" src="../res/x5engine.js"></script>
<link rel="stylesheet" type="text/css" href="template.css" media="screen" />
<title>WebSite X5 Manager</title>
</head>
<body>
<div id="imAdminPage">
<div id="imBody">
<div class="imSectionTitle"></div>
<div class="imContent">
<div class="imTest pass">Версия PHP: 5.2.17<span>PASS</span></div>
<div class="imTest pass">Поддержка сессии<span>PASS</span></div>
<div class="imTest pass">Путь к публичной папке на сервере<span>PASS</span></div>
</div>
</div>
</div>
</body>
===============EOF RAW==================
If your checkaccess.php isn't patched every file on /admin/*.php is vulnerable.
Fixed Code:
site.tld/admin/checkaccess.php
==============BEGIN =FIXED CODE=================
<?php
require_once("../res/x5engine.php");
$login = new imPrivateArea();
if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0)
{
if (basename($_SERVER['HTTP_REFERER']) == "login.php")
{
header("Location: login.php?error");
exit;
}
else
{
header("Location: login.php");
exit;
}
}
else
{
$logged = TRUE;
}
// End of file checkaccess.php
===============END OF FIXED CODE================
**Vendor notified about this advisory.**
================================================
SHOUTZ+RESPECTS+GREAT THANKS TO ALL MY FRIENDS:
================================================
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com
securitylab.ru
secunia.com
securityhome.eu
exploitsdownload.com
exploit-db.com
osvdb.com
websecurity.com.ua
to all Aa Team + to all Azerbaijan Black HatZ
+ *Especially to my bro CAMOUFL4G3 *
To All Turkish Hackers
Also special thanks to: ottoman38 & HERO_AZE
================================================
/AkaStep
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Nov 2012 00:00Current
0.7Low risk
Vulners AI Score0.7