<<< Date Index >>>     <<< Thread Index >>>

PC-EXPERIENCE/TOPPE CMS Security Advisory





# PC-EXPERIENCE/TOPPE CMS Security Advisory
# By : Morinex
# E-Mail : rat@xxxxxxxxxxxxxxx
# Date : 30-07-2K5 ( so lazzy this summer )
# Shoutz : Woopie , sirh0t , 00pz , V1su4l and the gay´s of 0x1fe. I hate them 
so much isnt Falesco ? 0x1fe.com :)

Vulnerabilities


* User-ID Bypassing ( remote )
* Cross Site Scripting ( local )


We have founded a USER-ID disclosure and a XXS vuln. on the PM. I dont have time
to tell the full story about PCXP/TOPPE CMS so let´s tell a brief history about 
this CMS.
The CMS was coded by Alex of PCXP and after that he made it public for everyone.
Later there was a guy named Toppe who modded the source and recoded the admin. 
Dunno if its true but i heard a lot about this gay on wmc´s but anyway lets 
take a look on the vuln´s.


Download the PC-XP source V2 on :  http://members.lycos.nl/toppecms/pcexpv2.rar 
( "Modded" )
Download the PC-XP source V1.15 on : 
http://members.lycos.nl/toppecms/pcxv1.15.zip




# USER-ID BYPASSING  ( remote )


Let´s start directly . We are gonna get acces on every user-id i want on a 
PC-XP/TOPPE cms.
Let´s visit one target. wmhulp dot nl , hmmz now we are gonna check the cookie 
of wmhulp.
C:\Documents and Settings\Morinex\Cookies , and i found this cookie on it :

wmhulp.nl  FALSE  /  FALSE  1144851286  hash  81859
wmhulp.nl  FALSE  /  FALSE  1144851286  id  48
wmhulp.nl  FALSE  /  FALSE  1144851286  wachtwoord  
098f6bcd4621d373cade4e832627b4f6

as we see i am user ID 48 (registered before ) and my password is 
098f6bcd4621d373cade4e832627b4f6 (md5) .
If u cat login.php and scroll down u will see this "if($assoc['userid'] == 
$_COOKIE['id'] AND $actie == bekijk){ "
If u have a litle php exp u will see that $actie only is checking if the userid 
and cookie are the same. So its easy to exploit
just edit 48 with ure own ID number . U can see ure ID number on the members 
list ( ledenlijst.php ) .
After that we save the cookie and visit the page i am logged in with the userid 
i want. We have now full acces on PCXP/TOPPE CMS.
Take a look on the admin page ;> or kind of that.


# Cross Site Scripting Vuln. ( local )

This one is located on the pm page. ( pm.php )
Javascript is enabled so we can easy steal cookie´s. Im not here to explain how 
but as u see
we can run javascript on it so its vuln for XSS attack´s. Just enter this on 
the $msg
<script>alert(document.cookie)</script> and he will see a alert.




# Solution


There is no solution at the moment and there will not come one.
PX-XP is stopped a long long time ago and TOPPE is not happy when we are 
spreading the CMS to the public.
The only solution for this one is stopping using this CMS and take a look on 
PHPNUKE, MAMBO etc. ffs he is self
using now Mambo CMS on his mainpage ( toppedotnl )