Full Disclosure mailing list archives
pMachine Cross Site Scripting in Search module and Path Disclosures
From: "Lorenzo Hernandez Garcia-Hierro" <novappc () novappc com>
Date: Thu, 19 Jun 2003 15:19:47 +0200
-------------------- Product: pMachine Vendor: pMachine <www.pmachine.com> Versions: VULNERABLE - 2.2.x - 2.1.x - 2.0.x - 1.x NOT VULNERABLE - ? --------------------- Description: pMachine is an online publishing solution for editors , it is a weblog engine developed in PHP with MySQL back-end. It manages entries , articles , hit-counters , quizzes,surveys and it has a very easy to modify look and feel. ----------------------------------------- SECURITY HOLES FOUND and PROOFS OF CONCEPT: ----------------------------------------- I encountered few security holes related with path disclosures and Cross Site Scripting vulnerabilities in Search module. --------------------------- | PATH DISCLOSURES | --------------------------- There are some path disclosures in some files of pMachine , with this you can get the real (local) installation path of the pMachine scripts. Proof of Concepts: http://[TARGET]/[pMachine PATH]/index.php?sfx=./nothing http://[TARGET]/[pMachine PATH]/inc.lib.php?sfx=./nothing http://[TARGET]/[pMachine PATH]/inc.cp.php?sfx=./nothing http://[TARGET]/[pMachine PATH]/lib/weblog.add.php <-- access directly http://[TARGET]/[pMachine PATH]/lib/comment.add.php <-- access directly Possible other files using this variable (sfx) are vulnerable. --------------------------- | CROSS SITE SCRIPTING | --------------------------- There are some security holes in the Search module that it's located in /search/ directory. You can inject HTML code and Script Code in the query of the Search , this code will be executed in the user side. Proof of Concepts: http://[TARGET]/[pMachine Public Path]/search/index.php?weblog=[THE WEBLOG]&keywords=[XSS ATTACK CODE] ----------- | CONTACT | ----------- Lorenzo Hernandez Garcia-Hierro --- Computer Security Analyzer --- --Nova Projects Professional Coding-- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ********************************** security.novappc.com Are you totally secured ? ______________________ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- pMachine Cross Site Scripting in Search module and Path Disclosures Lorenzo Hernandez Garcia-Hierro (Jun 19)
- Re: pMachine Cross Site Scripting in Search module and Path Disclosures Melvyn Sopacua (Jun 19)