Re: xxs in MKPortal M1.1



Here is a Fix from me, delete the pmpopup.php, create a new one with this in there:

<?


$m1 = str_replace("%20", " ", $_GET['m1']);
$m2 = str_replace("%20", " ", $_GET['m2']);
$m3 = str_replace("%20", " ", $_GET['m3']);
$m4 = str_replace("%20", " ", $_GET['m4']);
$u1 = $_GET['u1'];


foreach ($_POST AS $key => $val) {
if (${$key} == $val) {
unset (${$key});
}
}
foreach ($_GET AS $key => $val) {
if (${$key} == $val) {
echo "Hacking Attempt logged \n";
unset (${$key});
}
}
foreach ($_COOKIE AS $key => $val) {
if (${$key} == $val) {
unset (${$key});
}
}

$output = "<script language=\"javascript\" type=\"text/javascript\">
<!--
function jump_to_inbox()
{
opener.document.location.href = \"$u1\";
window.close();
}
//-->
</script>
<body>
<table width=\"100%\" height=\"100%\" border=\"0\" cellspacing=\"0\" cellpadding=\"1\" bgcolor=\"#F5F5F5\">
<tr>
<td>
<table align=\"center\" width=\"95%\" border=\"1\" cellspacing=\"0\" cellpadding=\"0\">
<tr>
<td valign=\"top\" width=\"100%\" bgcolor=\"#DFE6EF\" align=\"center\"><br /><strong><font face=\"verdana\" size=\"2\">$m1<a href=$u1 onclick=\"jump_to_inbox();return false;\" target=\"_new\"> $m2</a>$m3</font></strong><br /><br /><font face=\"verdana\" size=\"2\"><a href=\"javascript:window.close();\" >$m4</a></font><br /><br />
</td>
</tr>
</table>
</td>
</tr>
</table>
</body>

";

print $output;

?>


MFG

Sourcecode

yet another Exploit Source : http://www.replica-solutions.de
[Perl] my start.pl from the Wapiti HTTP Vuln. Scanner -> http://tinyurl.com/ha6km
Nmap in combination with other Linux tools: http://tinyurl.com/pknlw



Relevant Pages

  • Re: Time in Emacs status bar
    ... If you have TZ set then I would unset it and fix the system. ... different timezones.) ... To fix it reconfigure the tzdata package. ...
    (Debian-User)
  • [PATCH 4/9] PM: fix build for CONFIG_PM unset
    ... Compilation of kprobes.c with CONFIG_PM unset is broken due to some broken ... config dependncies. ... Fix that. ...
    (Linux-Kernel)
  • Re: 2.6.22-rc4-mm1
    ... your patch gregkh-driver-block-device.patch breaks Fedora 7 initrd ... Please fix it ASAP, I can't test kernel... ... Do you have CONFIG_SYSFS_DEPRECATED set or unset? ...
    (Linux-Kernel)
  • Re: 2.6.22-rc4-mm1
    ... Please fix it ASAP, I can't test kernel... ... Do you have CONFIG_SYSFS_DEPRECATED set or unset? ... More majordomo info at http://vger.kernel.org/majordomo-info.html ... Please read the FAQ at http://www.tux.org/lkml/ ...
    (Linux-Kernel)
  • [PATCH 2.6.20-rc1] fix vm_events_fold_cpu() build breakage
    ... fix vm_events_fold_cpubuild breakage ... and CONFIG_HOTPLUG is unset: ... +#ifdef CONFIG_HOTPLUG ...
    (Linux-Kernel)