EV0087.txt

2006-03-09T00:00:00
ID PACKETSTORM:44492
Type packetstorm
Reporter Aliaksandr Hartsuyeu
Modified 2006-03-09T00:00:00

Description

                                        
                                            `New eVuln Advisory:  
ShoutLIVE PHP Code Execution & Multiple XSS Vulnerabilities  
http://evuln.com/vulns/87/summary.html  
  
--------------------Summary----------------  
eVuln ID: EV0087  
CVE: CVE-2006-0940 CVE-2006-0941  
Software: ShoutLIVE  
Sowtware's Web Site: http://cynic.x10hosting.com/downloadfile.php?file=phpscripts/ShoutLIVE.zip  
Versions: 1.1.0  
Critical Level: Dangerous  
Type: PHP Code Execution  
Class: Remote  
Status: Unpatched. No reply from developer(s)  
Exploit: Available  
Solution: Not Available  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
  
-----------------Description---------------  
1. PHP Code Execution  
  
Vulnerable Script: savesettings.php  
  
All user-defined variables are not sanitized before being written into settings.php  
This can be used to inject arbitrary PHP code.  
  
System access is possible.  
  
  
2. Multiple Cross-Site Scripting  
  
Vulnerable Script: post.php  
  
All user-defined variables are not sanitized when posting new message. This can be used to inject arbitrary HTML or JavaScript code.  
  
  
--------------Exploit----------------------  
Available at: http://evuln.com/vulns/87/exploit.html  
  
1. PHP Code Execution Example.  
  
<form method=POST action=http://[host]/savesettings.php>  
<input name=admin_pword value='asd"; [code] $a="'>  
</form>  
  
  
2. Multiple Cross-Site Scripting  
  
URL: http://[host]/index.php  
First name: [XSS]  
Web Site: javascript:[script]  
Message: [XSS]  
  
--------------Solution---------------------  
No Patch available.  
  
--------------Credit-----------------------  
Discovered by: Aliaksandr Hartsuyeu (eVuln.com)  
  
  
Regards,  
Aliaksandr Hartsuyeu  
http://evuln.com - Penetration Testing Services  
.  
`