PwsPHP v1.2.2 Final - Multiples vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PwsPHP v1.2.2 Final - Multiples vulnerabilities
From: SecuBox fRoGGz <unsecure@xxxxxxxxxxx>
Date: 7 May 2005 15:07:55 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


PwsPHP v1.2.2 Final - Multiples vulnerabilities
-----------------------------------------------

VULNERABLE PRODUCT
------------------
Forum: Pwsphp
Version: 1.2.2 Final
Vulnerabilities: Multiples
--------------------------

                                       __
    ____  __   __ ____          ____  / /_  ____  
   / _  \/ /  / / ___/   __    / __ \/ __ \/ __ \
  / /_/ / //\/ (__  )  /___/  / /_/ / / / / /_/ /
 / .___/\_/\/_/____/         / .___/_/ /_/ .___/
/_/                         /_/         /_/



BACKGROUND
----------
Pws PHP, is a gate php or CMS (Content Managing System). 
This gate allows you, to create a Web site, professional, 
protected of A to Z without any preliminary knowledge !
Source: www.pwsphp.com


VULNERABILITIES
---------------
* Cross-Site Scripting / XSS
* SQL Injection
* Full Path Disclosure
* Cookies injection
* Unauthorized File Uploads
* Others ... but not fix yet.
-----------------------------


#### Pwsphp - Cross-Site Scripting ####
./index.php?mod=news&ac=plus&month=[XSS INJECTION]&annee=[XSS INJECTION]
./index.php?mod=stats&aff=forum&nbractif=[XSS INJECTION]
./index.php?mod=stats&aff=pages&annee=[XSS INJECTION]
./profil.php?id=1%20[XSS INJECTION]
./memberlist.php?mb_lettre=%A4%20[XSS INJECTION]
./memberlist.php?mb1_order=id&mb1_ord=DESC&lettre=[XSS INJECTION]
./index.php?&mod=recherche choix_recherche=2&chaine_search=[XSS 
INJECTION]&multi_mots=tous&choix_forum=1&auteur_search=[XSS INJECTION]
#### Pwsphp - Cross-Site Scripting ####


#### Pwsphp - SQL Injection Exemple ####
./profil.php?id=A
Erreur -> SELECT * FROM `users` WHERE `users`.`id`=A
#### Pwsphp - SQL Injection Exemple ####


#### Pwsphp - Full Path Disclosure ####
Target: ./modules/admin/
Server reply: Warnings -> Full Path Disclosure /home/www/... 
#### Pwsphp - Full Path Disclosure ####


#### Pwsphp - Cookies injection ####
It's possible to "spoof" any identities with a simple cookie injection.
- Cookie named: "Pseudo", then you can post comments.
#### Pwsphp - Cookies injection ####


#### Pwsphp - Unauthorized File Uploads ####
In Admin panel, you can "Add pictures", warning says that only JPG, GIF and PNG 
are accepted.
But ... try with SWF or others, restrictions aren't enough.
#### Pwsphp - Unauthorized File Uploads ####


VENDOR STATUS
-------------
PwsPHP Team have been contacted: 15 april 2005
PwsPHP Team have been published fix: 07 may 2005
Our contact was: Emmanuel Bouillon

PwsPHP v1.2.3 is now available: http://www.pwsphp.com/lastissue.php
------------------------------------------------------------------

Just a little thing... never wrote "Protected of A to Z without any preliminary 
knowledge" <- JoKe ?
And finally, a simple small "thanks" on your Web site or just in your ReadMe 
file, will not take more time to you! 



CREDiTS
----------------------
SecuBox Labs - fRoGGz
----------------------

Prev by Date: [SECURITY] [DSA 723-1] New XFree86 packages fix arbitrary code execution
Next by Date: Re: MegaBook V2.0 - Cross Site Scripting Exploit
Previous by thread: [SECURITY] [DSA 723-1] New XFree86 packages fix arbitrary code execution
Next by thread: [SECURITY] [DSA 722-1] New smail packages fix arbitrary code execution
Index(es):
- Date
- Thread