Full Disclosure mailing list archives

pMachine Cross Site Scripting in Search module and Path Disclosures

From: "Lorenzo Hernandez Garcia-Hierro" <novappc () novappc com>
Date: Thu, 19 Jun 2003 15:19:47 +0200

--------------------
Product: pMachine
Vendor: pMachine <www.pmachine.com>
Versions:
         VULNERABLE

         - 2.2.x
         - 2.1.x
         - 2.0.x
         - 1.x

         NOT VULNERABLE

         - ?
---------------------

Description:

pMachine is an online publishing solution for editors , it is a weblog
engine developed in PHP with MySQL back-end.
It manages entries , articles , hit-counters , quizzes,surveys and it has a
very easy to modify look and feel.

-----------------------------------------
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------

I encountered few security holes related with path disclosures  and Cross
Site Scripting vulnerabilities in Search module.

---------------------------
|    PATH DISCLOSURES     |
---------------------------

There are some path disclosures in some files of pMachine , with this you
can get the real (local) installation path of
the pMachine scripts.

Proof of Concepts:

http://[TARGET]/[pMachine PATH]/index.php?sfx=./nothing
http://[TARGET]/[pMachine PATH]/inc.lib.php?sfx=./nothing
http://[TARGET]/[pMachine PATH]/inc.cp.php?sfx=./nothing
http://[TARGET]/[pMachine PATH]/lib/weblog.add.php <-- access directly
http://[TARGET]/[pMachine PATH]/lib/comment.add.php <-- access directly

Possible other files using this variable (sfx) are vulnerable.

---------------------------
|  CROSS SITE SCRIPTING   |
---------------------------

There are some security holes in the Search module that it's located in
/search/ directory.
You can inject HTML code and Script Code in the query of the Search , this
code will be executed in the user side.

Proof of Concepts:

http://[TARGET]/[pMachine Public Path]/search/index.php?weblog=[THE
WEBLOG]&keywords=[XSS ATTACK CODE]

-----------
| CONTACT |
-----------

Lorenzo Hernandez Garcia-Hierro
 --- Computer Security Analyzer ---
 --Nova Projects Professional Coding--
 PGP: Keyfingerprint
 B6D7 5FCC 78B4 97C1  4010 56BC 0E5F 2AB2
 ID: 0x9C38E1D7
 **********************************
  security.novappc.com
 Are you totally secured ?
 ______________________


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

pMachine Cross Site Scripting in Search module and Path Disclosures Lorenzo Hernandez Garcia-Hierro (Jun 19)
- Re: pMachine Cross Site Scripting in Search module and Path Disclosures Melvyn Sopacua (Jun 19)