JAFCMS-4.0.txt

2006-10-03T00:00:00
ID PACKETSTORM:50519
Type packetstorm
Reporter nanoymaster
Modified 2006-10-03T00:00:00

Description

                                        
                                            `##################################################################################  
## ## _ _ _ _ ##  
## Hacker: NanoyMaster ## /|| \ | || \ / ||\ ##  
## Exploit: JAF CMS ## / || |\\| || \/ || \ ##  
## Version: 4.0 RC1 ## \ || | \ || |\/| || / ##  
## ## \||_| \_||_| |_||/ ##  
##################################################################################  
## vulnerabilities: XSS in shoutbox ##  
## PHP execution ##  
## XSS in forum ##  
## ##  
##################################################################################  
## \m/___Props___\m/ ##  
## z3r0phr34k ##  
## System_Meltdown ##  
## THK-GEO & THK-h3x ##  
## All of Exploitarians ##  
##################################################################################  
  
  
//------------------------------------------------------------------------------//  
// XSS in shoutbox //  
//------------------------------------------------------------------------------//  
  
Self explanitory... in the message body put: <script>alert('hi')</script>  
  
Error: module/shout/jafshout.php  
Line: 168 - 202  
  
187 - 191 {  
$message = preg_replace('/"/','',$_POST['message']);  
$message = preg_replace("/>/",">",$_POST['message']);  
$message = preg_replace("/</","<",$_POST['message']);  
$message = str_replace("onmouse","",$_POST['message']);  
$message = str_replace("/\/","edited",$_POST['message']);  
}  
  
change the relevent lines to look like the following, bar the first $_POST['message'].  
  
187 - 191 {  
$message = preg_replace('/"/','',$message);  
$message = preg_replace("/>/",">",$message);  
$message = preg_replace("/</","<",$message);  
$message = str_replace("onmouse","",$message);  
$message = str_replace("/\/","edited",$message);  
}  
etc etc.  
  
*note*   
This should be implemented on all of the variables stored to the flat-file  
module/files/shout   
*end note*  
  
  
//------------------------------------------------------------------------------//  
// PHP execution //  
//------------------------------------------------------------------------------//  
  
Yet again in the shoutbox type something like:  
  
Windoze) <?php system(dir); ?>   
Linux) <?php system(ls -la); ?>  
  
you could see how usefull this could be ;) possably overwright admin/data_inc.php  
(where the admin's password hash is) :p  
  
Error: module/shout/jafshout.php  
Line: 168 - 202  
Patch: (see above code)  
  
  
//------------------------------------------------------------------------------//  
// XSS in forum //  
//------------------------------------------------------------------------------//  
  
Self explanitory... in the message body put: <script>alert('hi')</script>  
  
Error: module/forum/topicwin.php  
Line: 112- 123  
  
112 - 117 {  
$n_topic["name"]=$name;  
$n_topic["email"]=$email;  
$n_topic["title"]=$title;  
$n_topic["date"]=$date;  
$n_topic["ldate"]=$date;  
$n_topic["lname"]=$name;  
}  
  
change the relevent lines to look like the following.  
  
112 - 117 {  
$n_topic["name"]=htmlentities($name, ENT_QUOTES);  
$n_topic["email"]=htmlentities($email, ENT_QUOTES);  
$n_topic["title"]=htmlentities($title, ENT_QUOTES);  
$n_topic["date"]=htmlentities($date, ENT_QUOTES);  
$n_topic["ldate"]=htmlentities($date, ENT_QUOTES);  
$n_topic["lname"]=htmlentities($name, ENT_QUOTES);   
}  
etc etc.  
  
//------------------------------------------------------------------------------//  
// End //  
//------------------------------------------------------------------------------//  
`