BugTraq
PC-EXPERIENCE/TOPPE CMS Security Advisory Jul 30 2005 03:09PM
rat marocmaffia com


# PC-EXPERIENCE/TOPPE CMS Security Advisory
# By : Morinex
# E-Mail : rat (at) marocmaffia (dot) com [email concealed]
# Date : 30-07-2K5 ( so lazzy this summer )
# Shoutz : Woopie , sirh0t , 00pz , V1su4l and the gay´s of 0x1fe. I hate them so much isnt Falesco ? 0x1fe.com :)

Vulnerabilities

* User-ID Bypassing ( remote )
* Cross Site Scripting ( local )

We have founded a USER-ID disclosure and a XXS vuln. on the PM. I dont have time
to tell the full story about PCXP/TOPPE CMS so let´s tell a brief history about this CMS.
The CMS was coded by Alex of PCXP and after that he made it public for everyone.
Later there was a guy named Toppe who modded the source and recoded the admin. Dunno if its true but i heard a lot about this gay on wmc´s but anyway lets take a look on the vuln´s.

Download the PC-XP source V2 on : http://members.lycos.nl/toppecms/pcexpv2.rar ( "Modded" )
Download the PC-XP source V1.15 on : http://members.lycos.nl/toppecms/pcxv1.15.zip

# USER-ID BYPASSING ( remote )

Let´s start directly . We are gonna get acces on every user-id i want on a PC-XP/TOPPE cms.
Let´s visit one target. wmhulp dot nl , hmmz now we are gonna check the cookie of wmhulp.
C:\Documents and Settings\Morinex\Cookies , and i found this cookie on it :

wmhulp.nl FALSE / FALSE 1144851286 hash 81859
wmhulp.nl FALSE / FALSE 1144851286 id 48
wmhulp.nl FALSE / FALSE 1144851286 wachtwoord 098f6bcd4621d373cade4e832627b4f6

as we see i am user ID 48 (registered before ) and my password is 098f6bcd4621d373cade4e832627b4f6 (md5) .
If u cat login.php and scroll down u will see this "if($assoc['userid'] == $_COOKIE['id'] AND $actie == bekijk){ "
If u have a litle php exp u will see that $actie only is checking if the userid and cookie are the same. So its easy to exploit
just edit 48 with ure own ID number . U can see ure ID number on the members list ( ledenlijst.php ) .
After that we save the cookie and visit the page i am logged in with the userid i want. We have now full acces on PCXP/TOPPE CMS.
Take a look on the admin page ;> or kind of that.

# Cross Site Scripting Vuln. ( local )

This one is located on the pm page. ( pm.php )
Javascript is enabled so we can easy steal cookie´s. Im not here to explain how but as u see
we can run javascript on it so its vuln for XSS attack´s. Just enter this on the $msg
<script>alert(document.cookie)</script> and he will see a alert.

# Solution

There is no solution at the moment and there will not come one.
PX-XP is stopped a long long time ago and TOPPE is not happy when we are spreading the CMS to the public.
The only solution for this one is stopping using this CMS and take a look on PHPNUKE, MAMBO etc. ffs he is self
using now Mambo CMS on his mainpage ( toppedotnl )

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus