Moonware Software Multiple Vulnerabilities

2007-08-28T00:00:00
ID SECURITYVULNS:DOC:17905
Type securityvulns
Reporter Securityvulns
Modified 2007-08-28T00:00:00

Description

Moonware Software Multiple Vulnerabilities

by s0cratex


MSN: s0cratex[at]nasa[dot]gov

Moonware Homepage: http://dalemooney.lost-soldiers.com

I. Moon Gallery


Bug: Arbitrary file upload Dork: "Powered by: Dale Mooney Gallery"

Details:

The file /config/upload.php don't have any restriction, 6:$target_path = $target_path . basename( $_FILES['uploadedfile']['name']);
8:if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) {

U can upload a PHP Shell and found it in the subdir /images/

II. Calendar Events -------- ------

Bug: SQL Injections

Details: The variable $get is not verified in the file viewevent.php. (We need magic_quotes_gpc = Off)

8:$get = mysql_query("SELECT * FROM cal_events WHERE id = '$id'"); p0c: viewevent.php?id=-1' union select 1,load_file('/etc/passwd'),1,1/*

III. Moonware Contact Form -------- ------- ----

Bug: CRLF Injection

Details:

File contact.php

line 26-35 if($Submit){

    $to = $email;
    $subject = $_POST["subject"];
    $email = $_POST["email"];
    $message = $_POST["message"];
    $name = $_POST["name"];
    $datetime = date("D, d M Y H:i:s");

    $finalmessage = "Message from: $name \n Subject: $subject \n Email: $email \n Date Sent: $datetime \n Message:\n\n $message";

44:$sent = mail($to,$subject,$finalmessage); The vars are not verified and i can insert \r\n...

oops!! #EOF