phpAdultSite CMS flaws

To: submit@xxxxxxxxxxx, vuldb@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, vuln@xxxxxxxxxxx
Subject: phpAdultSite CMS flaws
From: SmOk3 <smok3f00@xxxxxxxxx>
Date: Sun, 7 Sep 2008 18:20:20 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=0ahQiQj+w3pWqbPLvwoFUb4JLRBl1JRE9jPgYK/QxtU=; b=Hg9of24aGiFzPBQq0kWb5oITRqTW2xCugV7GeprO3vDzgJqiKCJddmQidEX/mPgd6l UvPVHRPaJNBPmQf5VkQw78DScBx9fDniInhFpVcYBY6WcdtyIdzfwJj5ayoPGKND0Qi7 HpnDkqINrou/7T9ZeTgLbSvPAYnpRzVuImLCw=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=PKBpngg29pGFRtrt4WeN2spFW0dmK5T2jTylAzcwFKtzfYHFkmmH6yR3e+/a0fzEcN UC3SsvJYeghq3JId6QP/O6ws+4M0S4p+O38nrDYwUj6gWWjMcvsYU8702Dxh0BrYD0Ny NCPDKZOG/MyI+TQq0/dXWhKgohQikWnCpDD4o=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Original article:
http://www.davidsopas.com/2008/09/phpadult-cms-exploit/


phpAdultSite CMS is a PHP-based content management system for a adult
pay site that fully supports MySQL. The code, layout, graphics of
phpAdultSite are consistent through every single page of your site.

It costs between $400 to $1100 depending on the license.

I found that this script is vulnerable to a couple of topics. After no
reply of this CMS vendors, send about two emails 1 week ago, I decided
going to full disclosure.

The problem exists on results_per_page variable. If it returns false,
it gives a DB Error output on our browser, showing up path disclosure,
sql statments that may lead to sql injections and also, it executes
XSS attacks.

PoC:

index.php?&results_per_page=50'
index.php?&results_per_page=50"><script
type="text/javascript">alert(/XSS vuln by DavidSopas.com/)</script>

It can be fixed with the sanitize of the variable.

Prev by Date: xoops-1.3.10 shell command execute vulnerability ( causing snoopy class )
Next by Date: [ GLSA 200809-06 ] VLC: Multiple vulnerabilities
Previous by thread: xoops-1.3.10 shell command execute vulnerability ( causing snoopy class )
Next by thread: [ GLSA 200809-06 ] VLC: Multiple vulnerabilities
Index(es):
- Date
- Thread