Multiple Vulnerabilities in CoolPHP

From: R00tCr4ck (root_at_cyberspy.org)
Date: 10/16/04

  • Next message: marco correnti: "Re: New Remote Microsoft JPEG DoS Vulnerability + Other Potential Security Vulnerabilitys in asycpict.dll 1.0 Advisory" 
    Date: Sat, 16 Oct 2004 19:18:47 +0000
To: bugtraq@securityfocus.com, vuln@secunia.com, bugs@securitytracker.com, vulnwatch@vulnwatch.org

    #####################################
    # CHT Security Research Center-2004 #
    # http://www.CyberSpy.Org #
    # Turkey #
    #####################################

    Software:
    CoolPHP

    Web Site:
    http://cphp.sourceforge.net/

    Affected Version(s):
    1.0-stable

    Description:
    CoolPHP is a PHP based portal system.It requires A Web server with PHP>=PHP4
    support and MySQL.
    It's compatible with *NIX and NT.

    Multiple Vulnerabilities in CoolPHP:

    Cross-Site Scripting vulnerability:
    CoolPHP is vulnerable to cross-site scripting attacks.
    It is possible to construct a link containing arbitrary script code to a website
    running CoolPHP.
    When a user browses the link, the script code will be executed on the user's
    browser.
    This vulnerability occurs due to insufficient inspection of some user-supplied
    input.
    As a result of this deficiency an attacker may exploit the vulnerability by
    creating a specially crafted URL that includes malicious HTML code as URI
    parameters for index.php

    Examples:

    http://[victim]/index.php?op=buscar&query=<script
    language=javascript>window.alert(document.cookie);</script>
    http://[victim]/index.php?op=buscar&query=%3Cscript%20language=javascript%3Ewindow.alert%28document.cookie%29;%3C/script%3E
    http://[victim]/index.php?op=userinfo&nick=<script
    language=javascript>window.alert(document.cookie);</script>

    Path Disclosure Vulnerability:
    CoolPHP is prone to a path disclosure vulnerability.
    Passing invalid value for the 'op' URI parameter to the index.php file
    will cause an error message to be displayed which contains physical path
    information.
    This information could be useful in further attacks against the system.

    Demonstration:

    http://[victim]/cphp/index.php?op=invparam

    Local file include Vulnerability with Directory Traversal :
    CoolPHP does not filter dot dot slash (../) sequences from web requests.
    This problem may allow an attacker to access known files outside the server root
    directory
    and will permit a local attack to include malicious PHP scripts from another
    local paths.

    Examples:

    http://[victim]/index.php?op=../../../../anotheruser/evilfile
    or as URL encoded format:
    http://[victim]/index.php?op=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fanotheruser/evilfile 

    ----
Reported By R00tCr4ck at October,16 2004
root(at)CyberSpy.Org
Original Article can be found at:
http://www.CyberSpy.Org
  • Next message: marco correnti: "Re: New Remote Microsoft JPEG DoS Vulnerability + Other Potential Security Vulnerabilitys in asycpict.dll 1.0 Advisory"

    Relevant Pages

    • [VulnWatch] Multiple Vulnerabilities in CoolPHP
      ... Multiple Vulnerabilities in CoolPHP: ... CoolPHP is vulnerable to cross-site scripting attacks. ... This vulnerability occurs due to insufficient inspection of some user-supplied ... This information could be useful in further attacks against the system. ...
      (VulnWatch)
    • Re: [Full-disclosure] on xss and its technical merit
      ... detailed technical knowledge of all things xss. ... other's attacks since then. ... "Saying XSS isn't a vulnerability is like like saying a binary that ... (javascript is ONE scripting language and therefore NOT a requirement)). ...
      (Full-Disclosure)
    • RE: cPanel Multiple Cross Site Scripting Vulnerability
      ... Thank you for finding this vulnerability in a widely used software. ... cPanel Multiple Cross Site Scripting Vulnerability ... the victim's cPanel account as well as other type of attacks. ...
      (Bugtraq)