JAF CMS 4.0 RC1 multiple vulnerabilities

2006-09-27T00:00:00
ID SECURITYVULNS:DOC:14438
Type securityvulns
Reporter Securityvulns
Modified 2006-09-27T00:00:00

Description

## _ _ _ _

Hacker: NanoyMaster ## /|| \ | || \ / ||\

Exploit: JAF CMS ## / || |\\| || \/ || \

Version: 4.0 RC1 ## \ || | \ || |\/| || /

## \||| \||| |||/

vulnerabilities: XSS in shoutbox

PHP execution

XSS in forum

\m/Props\m/

z3r0phr34k

System_Meltdown

THK-GEO & THK-h3x

All of Exploitarians

//------------------------------------------------------------------------------// // XSS in shoutbox // //------------------------------------------------------------------------------//

Self explanitory... in the message body put: <script>alert('hi')</script>

Error: module/shout/jafshout.php Line: 168 - 202

187 - 191 { $message = preg_replace('/"/','',$_POST['message']); $message = preg_replace("/>/","&gt;",$_POST['message']); $message = preg_replace("/</","&lt;",$_POST['message']); $message = str_replace("onmouse","",$_POST['message']); $message = str_replace("/\/","edited",$_POST['message']); }

change the relevent lines to look like the following, bar the first $_POST['message'].

187 - 191 { $message = preg_replace('/"/','',$message); $message = preg_replace("/>/","&gt;",$message); $message = preg_replace("/</","&lt;",$message); $message = str_replace("onmouse","",$message); $message = str_replace("/\/","edited",$message); } etc etc.

note This should be implemented on all of the variables stored to the flat-file module/files/shout end note

//------------------------------------------------------------------------------// // PHP execution // //------------------------------------------------------------------------------//

Yet again in the shoutbox type something like:

Windoze) <?php system(dir); ?>
Linux) <?php system(ls -la); ?>

you could see how usefull this could be ;) possably overwright admin/data_inc.php (where the admin's password hash is) :p

Error: module/shout/jafshout.php Line: 168 - 202 Patch: (see above code)

//------------------------------------------------------------------------------// // XSS in forum // //------------------------------------------------------------------------------//

Self explanitory... in the message body put: <script>alert('hi')</script>

Error: module/forum/topicwin.php Line: 112- 123

112 - 117 { $n_topic["name"]=$name; $n_topic["email"]=$email; $n_topic["title"]=$title; $n_topic["date"]=$date; $n_topic["ldate"]=$date; $n_topic["lname"]=$name; }

change the relevent lines to look like the following.

112 - 117 { $n_topic["name"]=htmlentities($name, ENT_QUOTES); $n_topic["email"]=htmlentities($email, ENT_QUOTES); $n_topic["title"]=htmlentities($title, ENT_QUOTES); $n_topic["date"]=htmlentities($date, ENT_QUOTES); $n_topic["ldate"]=htmlentities($date, ENT_QUOTES); $n_topic["lname"]=htmlentities($name, ENT_QUOTES);
} etc etc.

//------------------------------------------------------------------------------// // End // //------------------------------------------------------------------------------//