Archive for Exploits

The Month of PHP Bugs (”formerly known as March”)

4 Mar, 2007  2 Comments

The guys over at the Hardened-PHP Project have started a months of PHP Bugs. Whereby they set out to find vulnerabilities in the PHP Core (not any specific application). At the time of writing, they are up-to their 9th flaw. You can see all the action at php-security.org.

TorrentFlux “action” Script Insertion

17 Oct, 2006  No Comment

TITLE:
TorrentFlux “action” Script Insertion

CRITICAL:
Not Critical
IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
TorrentFlux 2.x

DESCRIPTION:
I have discovered a vulnerability in TorrentFlux, which can be exploited by malicious users to conduct script insertion attacks.

Input passed to the “action” variable is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in an administrator’s browser session in context of an affected site when the “Activity Log” is viewed.

The vulnerability has been confirmed in version 2.1. Other versions may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.
/admin.php
Line 336:

$output .= “<td><div class=\”tiny\”>”.htmlentities($action, ENT_QUOTES).”</div></td>”;

Line 398:

echo “<option value=\”".htmlentities($action, ENT_QUOTES).”\” “.$selected.”>”.htmlentities($action, ENT_QUOTES).”</option>”;

TorrentFlux “file” Script Insertion

17 Oct, 2006  No Comment

TITLE:
TorrentFlux “file” Script Insertion

CRITICAL:
Moderate

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
TorrentFlux 2.x

DESCRIPTION:
I have discovered a vulnerability in TorrentFlux, which can be exploited by malicious users to conduct script insertion attacks.

Input passed to the “file” variable is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in an administrator’s browser session in context of an affected site when the “Activity Log” is viewed. An example is attempting to login with an incorrect username or password. Where the username field of /login.php contains the arbitrary code.

The vulnerability has been confirmed in version 2.1. Other versions may also be affected.

SOLUTION:

Edit the source code to ensure that input is properly sanitised.

/admin.php

Line 338:

$output .= htmlentities($file, ENT_QUOTES);

TorrentFlux “startpop.php” “torrent” Script Insertion

13 Oct, 2006  6 Comments

TITLE:
TorrentFlux “startpop.php” “torrent” Script Insertion
CRITICAL:
Not Critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
TorrentFlux 2.x

DESCRIPTION:
I have discovered a vulnerability in TorrentFlux, which can be exploited by malicious users to conduct script insertion attacks.

Input passed to the “torrent” field of a GET Request (/startpop.php?torrent=%22%3E%3Cscript%3Ealert(document.cookies);%3C/script%3E.torrent) is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in an user’s browser session in context of an affected site if a user clicks on a malicious link.

The vulnerability has been confirmed in version 2.1. Other versions may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

/startpop.php

Line 36: Change to: $displayName = htmlentities($displayName, ENT_QUOTES);

(Line 36 is normally empty)

Grant only trusted users access to the application

Breaking Text Based Captcha is Easy!

11 Oct, 2006  2 Comments

Today, I still don’t remember how I got to this blog post but anyway I saw that they had a text based captcha.

The blog author claims that it prevents spam, which it does! Because it added an extra layer of uniqueness to his code and unintelligent spam bots don’t realise. Anyway now for the breaking:

//Break Text Based Captcha:
$regex = ‘#/>\s+

(\d+)\s*([\+\-\/\*])\s*(\d+)\s*\=?

\s+
$page = getpage(’http://pooteeweet.org/blog/259/p/1′);

preg_match($regex, $page, $matches);
$n1 = intval($matches[1]);
$n2 = intval($matches[3]);

$op = $matches[2];

switch ($op) {
case ‘+’:
$INTresult = intval($n1+$n2);
break;

case ‘-’:
$INTresult = intval($n1-$n2);
break;

case ‘/’:
$INTresult = intval($n1/$n2);
break;

case ‘*’:
$INTresult = intval($n1*$n2);
break;

default:
die(’Illegal Operation’);
break;
}

echo $INTresult;
?>

Note that my framework has a function getpage which is just a simple (well quite advanced actually…) curl function.

There you have it $INTresult is the answer to the math problem.

Yes this is a very simple text captcha but breaking a more advanced one wouldn’t require that much more effort.

Regards,

Steven Roddis

TorrentFlux User-Agent XSS Vulnerability

6 Oct, 2006  3 Comments

Name: TorrentFlux User-Agent XSS Vulnerability
Published: 2006-10-06
Critical Level: Moderate
Type: Cross-Site Scripting
Where: Remote
Status: 0-Day
Software: Torrentflux 2.1
Discoverer: Steven Roddis (http://www.stevenroddis.com)

I gave the authors of this product a week (more than usual) just to contact me, they have failed to do so; so I am releasing this vulnerability publicly!

/admin.php

Line: 325

$ip_info = $ip_resolved.”
“.$user_agent;

Useragent is not esacped.

Solution:

Edit source code:

/admin.php

Line: 325:

$ip_info = htmlentities($ip_resolved, ENT_QUOTES).”
“.htmlentities($user_agent, ENT_QUOTES);

Recent Comments

  • Josir Gomes: Hi Steve, the meta-package ubuntu-desktop is bloated with huge softwares like OpenOffice, Evolution,...
  • hannah: your that good! ha ha, but seriously.
  • Wiras Adi: Yeah, mathematic operation in text-based CAPTCHA is very easy to break. And I don't think that many sites...
  • Gary: Phew! You saved me lots of hassle :-) The only problem I had was that $_SERVER[’HTTP_AUTHORIZATION ’]...
  • Stephen: To touch on the issue Vinay raised, I had to use the -wholename option on the find command to delete files...

Else wheres